Sodus Central School District – Software Management (2022M-64)

Issued Date
November 23, 2022

[read complete report – pdf]

Audit Objective

Determine whether Sodus Central School District (District) officials ensured only appropriate, necessary and authorized software was installed on District computers.

Key Findings

District officials did not establish adequate controls to prevent inappropriate, unnecessary and unauthorized software from being installed on District computers. As a result, we found:

  • All 39 network user accounts that we reviewed had permissions that allowed the accounts’ users to install software on their computers without authorization.
  • Of 134 software applications that we reviewed, only three (2 percent) were listed on the District’s software inventory and 27 (20 percent) were unneeded or did not have a specific business purpose, including eight unauthorized software applications on 17 different computers.

In addition, sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Limit permissions for installing software to users who need these permissions to perform their job duties and responsibilities.
  • Maintain a complete and comprehensive software inventory list of all authorized, appropriate and necessary software installed on District computers.
  • Establish comprehensive written procedures for installing and periodically reviewing software on District computers.

District officials agreed with our recommendations and have initiated or indicated they planned to initiate corrective action.