Audit Objective
Did Steuben County (County) officials limit and monitor access to and properly safeguard computerized data in the finance and personnel departments and County Clerk’s office?
Audit Period
January 1, 2023 – July 31, 2025.
We expanded the scope of the audit to look at all network user accounts, permissions and security settings.
Understanding the Audit Area
County officials must safeguard computerized data in the finance and personnel departments and the County Clerk’s office to help protect sensitive information, prevent fraud, comply with legal requirements and maintain public trust. Limiting and monitoring access is crucial to prevent unauthorized access by internal or external threats, which could lead to data breaches, financial theft, identity theft or other harmful consequences for individuals. Therefore, protecting computerized data is especially important as the number of instances of people with malicious intent trying to harm computer networks and/or gain unauthorized access to information using malware and other types of attacks continues to rise.
The Director of Information Technology (IT Director) serves as the Chief Information Officer (CIO) and oversees the IT department and computerized environment, including controls over computerized data. County officials1 are responsible for designing and implementing policies and procedures to safeguard computerized data.
Audit Summary
County officials did not limit and monitor access to and properly safeguard computerized data used by employees in the finance and personnel departments and County Clerk’s office. As a result, County officials cannot be assured that County-owned computerized data was secured and protected against unauthorized use, access and loss, and there is an increased risk that County officials could lose important data and suffer a serious interruption in operations.
Specifically, County officials did not:
- Inventory and classify computerized data, including personal, private or sensitive information (PPSI),2
- Ensure the security of County-owned data in the custody of third-party service providers,
- Update and test IT contingency planning and backup procedures,
- Provide periodic information security awareness training, and
- Ensure network user accounts were properly managed.
Sensitive IT control weaknesses were communicated confidentially to County officials.
The report includes 10 recommendations that, if implemented, will improve the internal controls over the County’s IT system. County officials agreed with our recommendations and indicated they will take corrective action. County officials’ responses are included in Appendix B.
We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of the New York State General Municipal Law. Our methodology and standards are included in Appendix C.
The County Legislature (Legislature) has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and provided to our office within 90 days, pursuant to Section 35 of the New York State General Municipal Law. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Legislature to make the CAP available for public review.
1 County officials include the Legislature, County Manager, County Clerk, Commissioner of Finance, Personnel Officer and IT Director.
2 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could
have or cause a severe impact on critical functions, employees, customers, third-parties or other individuals or entities.