[read complete report – pdf] [read complete 2022 report – pdf]

Purpose of Review

The purpose of our review was to assess the South Orangetown Central School District’s (District) progress, as of September 2025, in implementing our recommendations in the audit report South Orangetown Central School District – Network User Accounts (2022M-24), released in August 2022.

The audit determined that District officials did not:

• Ensure procedures for granting, changing and disabling network access were consistently followed by all departments.
• Always review network user accounts to determine whether they were still needed.
• Disable 30 of the 3,675 network user accounts that were no longer needed. The 30 accounts included 13 generic accounts, nine former employee accounts and eight contractor accounts.

The audit included four recommendations to help the Board improve its oversight of the District’s network user accounts.

Background

The District serves the Town of Orangetown in Rockland County and is governed by an elected five-member Board of Education (Board). The Board is responsible for the general management and control of financial affairs. The Superintendent of Schools is the chief executive officer responsible, along with other administrative staff, for day-to-day management under the Board’s direction. The Director of Technology oversees the Technology Department which provides technology support services to the District. The District contracts with the Lower Hudson Regional Information Center to provide assistance in managing, configuring and securing network user accounts.

Results of Review

Of the four recommendations contained in the 2022M-24 report, we determined, based on our limited procedures, that the Board, IT Director and personnel assistant fully implemented one recommendation and partially implemented three recommendations. As a result, the District’s network user accounts continued to have increased risk for use to inappropriately access and view personal, private and sensitive information (PPSI)¹ on the network or gain access to or control over other IT functions. We also reviewed progress in implementing the recommendations related to the sensitive IT control weaknesses that we reported to officials confidentially and communicated those results confidentially to District officials. 

1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers (students), third parties or other individuals or entities.