New York State Comptroller Thomas P. DiNapoli today announced the following local government audits were issued.
The former supervisor did not ensure all cash in his custody was properly collected and disbursed and did not provide oversight of the bookkeepers, who performed all financial duties, including online banking. The board did not adopt written policies and procedures for cash receipts and disbursements and online banking. In 2020, the former bookkeeper received $1,254 in dental and vision insurance through the town and paid $126 of the premium cost. There was no documentation to support why she was entitled to receive these benefits. The findings regarding the former bookkeeper were referred to outside law enforcement for review.
District officials did not demonstrate that certain goods and services related to the 2021-22 capital improvement project (CIP) were procured in accordance with district policies, statutory requirements and good business practices. Of the nine CIP contracts totaling $4.4 million awarded to vendors, officials could not show they competitively awarded two contracts, totaling $2.8 million. Instead of using competitive bidding, officials used vendors who were granted awards from group purchasing organization contracts. However, officials could not demonstrate that they performed cost-benefit analyses to determine if using these vendors was in the district’s best interest.
Onondaga Cortland Madison Board of Cooperative Educational Services (BOCES) – Cash Management (2023M-40)
Over an 18-month period, officials missed an opportunity for BOCES to realize additional interest earnings totaling $310,865. Officials did not develop and manage a comprehensive investment program or develop procedures for the operation of the investment program in compliance with the board investment policy. Officials also did not invest available funds throughout the audit period in an authorized cooperative municipal investment fund that offered higher interest rates. They did not prepare monthly cash flow forecasts or ensure interest rate quotes were solicited to maximize earnings.
In addition to finding sensitive information technology (IT) control weaknesses, auditors found that district officials should have developed procedures for granting, changing and disabling network user accounts and ensured staff disabled 181 unneeded network user accounts. Seven of these users left the district between 2011 and 2019.
In addition to sensitive network access control weaknesses, district officials did not establish written policies or adequate written procedures for managing network user account access, including adding or disabling user accounts and permissions. The district had 230 unneeded enabled network user accounts, including those for former students, former employees and others who were no longer providing services to the district.
Amherst Central School District – Network User Account Access and Application User Accounts and Permissions (Erie County)
District officials did not adequately secure user account access to the network or properly manage user accounts and permissions in financial and student information applications, leading to a significant risk that network resources, financial data and student information could be inappropriately altered, accessed, or used. In addition to sensitive control weaknesses that were communicated confidentially, officials did not disable unnecessary network user accounts or revoke unnecessary network user account access. As many as 1,570 accounts were unneeded but were not disabled and four accounts had unnecessary network administrative access. The district also did not disable application user accounts or properly restrict permissions in the financial and student information applications.
The board did not ensure that cash disbursements were properly approved, accurately recorded, had adequate supporting documentation and were for association purposes. Auditors found that 138 disbursements (28%) totaling $39,929 did not have an itemized invoice or receipt (or other such documentation) and a documented, specific association purpose. Five disbursements totaling $1,308 were not recorded in the accounting records. In addition, the board did not adopt adequate bylaws or written policies or enforce compliance with the limited bylaws and policies that it adopted or establish adequate controls over disbursements, such as auditing all claims and reviewing bank statements and canceled check images.