[read complete report - pdf]

Audit Objective

Determine whether Pelham Union Free School District (District) officials established adequate controls over user accounts to help prevent unauthorized use, access and loss, and adopted an adequate IT contingency plan.

Key Findings

District officials did not establish adequate controls over user accounts to help prevent against unauthorized use, access, and loss, and did not adopt an adequate IT contingency plan. In addition to sensitive IT control weaknesses that were communicated confidentially to officials, officials did not:

• Periodically review unneeded user accounts and permissions to determine whether they were appropriate or needed to be disabled.
  • 33 individuals who left employment and 221 students who were no longer enrolled had active network user accounts.
  • Three generic accounts were not needed for District operations.
  • Four user accounts had unnecessary permissions.
• Ensure the District’s IT contingency plan was comprehensive, distributed and tested to minimize the risk of data loss or prevent a serious interruption of services.

Key Recommendations

• Develop written procedures for managing network and financial application user account access and develop and adopt a comprehensive IT contingency plan.

District officials agreed with our recommendations and indicated they plan to initiate corrective action.