LaFargeville Central School District – Information Technology (2021M-192)

Issued Date
March 18, 2022

[read complete report - pdf]

Audit Objective

Determine whether LaFargeville Central School District (District) officials established adequate information technology (IT) controls over physical IT assets and nonstudent
network user account access.

Key Findings

District officials did not establish adequate IT controls over physical IT assets and non-student user account access to the District’s network. In addition to sensitive IT  control weaknesses that were communicated confidentially to officials, we found:

  • 235 IT assets costing $108,462 were not recorded in the District’s inventory records, and seven computers, two audio systems, one projector and 10 other electronic components that cost $9,266 could not be found.
  • No physical access or environmental controls over the server room.
  • Improperly managed network user accounts.
  • The District’s disaster recovery plan was outdated, inadequate and not tested.

Key Recommendations

  • Implement procedures to properly account for physical IT assets throughout the District.
  • Establish physical security and environmental controls over the server room.
  • Immediately disable unneeded network user accounts and regularly review and update network user accounts for necessity and appropriateness.
  • Develop and adopt a written IT contingency plan.

Except as specified in Appendix A, District officials generally agreed with our recommendations. Appendix B includes our comment on an issue raised in the District’s
response.