Auburn Enlarged City School District – Building Access (S9-26-13)

Issued Date
July 10, 2026

[read complete report – pdf]

Audit Objective

Did Auburn Enlarged City School District (District) officials properly manage and monitor building access accounts and devices?

Audit Period

July 1, 2024 – November 30, 2025

We extended our audit period to January 29, 2026, to review access activity logs.

Understanding the Audit Area

Building access controls are essential for enhancing security and enabling school officials to manage and monitor entry points within educational institutions. These systems authenticate a user through devices such as key fobs, keycards, badges or similar technologies, helping to ensure only authorized individuals can enter school buildings. By limiting access in this way, schools can better safeguard their facilities and maintain a safe and secure environment for students, teachers, staff and visitors.

The District utilizes a building access management system (system) with 1,276 active building access accounts (accounts), including 828 devices issued to current employees and 448 issued to non-employees, of which 137 are shared devices.1 Each of the District’s eight school buildings has a single public point of entry. Employees may also access the buildings through additional secured entry points, which require a device for entry.

Audit Summary

District officials did not properly manage and monitor building access accounts and devices (badges). As a result, there was a potential risk for unauthorized access to District school buildings, compromising building security and safety for students, teachers, staff and visitors. Specifically, of the accounts we reviewed, the District had active, but unneeded, accounts with assigned badges in the system:

  • 26 District employees and one non-employee had two active badges each. 
  • 32 percent of individual non-employee accounts reviewed were not disabled when no longer needed. 
  • 56 percent of shared badges issued did not comply with the District’s building management procedures. 
  • 85 percent of shared badges we reviewed were unneeded. 

Although District officials had a process for adding accounts in the system for employees and non-employees, no one periodically reviewed active accounts to determine whether they were needed. These issues occurred because District officials did not follow the written procedures that clearly described and assigned responsibilities to District officials for managing and monitoring accounts, as well as issuing and monitoring badges.

This report includes five recommendations that, if implemented, will help District officials improve management and monitoring of building access accounts and badges. District officials generally agreed with our recommendations and their response is included in Appendix B.

This audit was conducted pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of New York State General Municipal Law (GML). The audit’s methodology and standards are included in Appendix C.

The Board of Education (Board) has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report must be prepared and provided to OSC within 90 days, pursuant to Section 35 of GML, Section 2116-a (3)(c) of the New York State Education Law and Section 170.12 of the Regulations of the Commissioner of Education. To the extent practicable, implementation of the CAP must begin by the end of the next fiscal year. For more information on preparing and filing your CAP, please refer to the OSC brochure, Responding to an OSC Audit Report, which you received with the draft audit report. The CAP should be posted on the District’s website for public review.


1 A shared account or device is assigned to a user for a specific role or function but not assigned to a specific individual (e.g., vendors or first responders).