Town of Clifton Park – Information Technology (2020M-162)

Issued Date
November 19, 2021

[read complete report - pdf]

Audit Objective

Determine whether Town of Clifton Park (Town) officials adequately safeguarded information technology (IT) resources.

Key Findings

Officials did not adequately safeguard IT resources. Although the Town paid an IT service provider more than $98,000 in 2019, officials did not define the provider’s responsibilities.

Specifically, officials did not:

  • Establish a comprehensive IT policy or monitor employee Internet use.
  • Implement comprehensive procedures for managing, and monitoring user access to, the Town’s network and computers. Fourteen user accounts belonged to former employees who left Town employment one month to 15 years before our review.
  • Have a written contract with the Town’s IT provider that described specific services to be provided.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

  • Ensure compliance with IT policies.
  • Develop comprehensive written procedures for managing and monitoring network user accounts.
  • Develop a written IT service level agreement.

Town officials disagreed with certain aspects of our findings and recommendations, but indicated they have initiated corrective action. Appendix B includes our comments on issues raised in the Town’s response letter.