[read complete report - pdf]

Audit Objective

Determine whether Susquehanna Valley Central School District (District) officials established information technology (IT) controls over user access to protect against unauthorized use, access and loss.

Key Findings

District officials did not establish adequate IT controls over user access to protect against unauthorized use, access and loss. District officials did not:

• Adequately manage user accounts including periodically reviewing and disabling unneeded network user accounts.
• Maintain accurate, complete and up-to-date hardware and software inventory.
• Ensure that computers were free from malicious software. In fact, two malicious software applications were installed on District computers.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Develop comprehensive procedures for regularly reviewing user accounts and disabling those that are unnecessary.
• Maintain an accurate, complete and up-to-date hardware and software inventory.
• Adopt and monitor comprehensive IT security policies.

District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.