Town of Amherst – Information Technology (2025M-120)

Issued Date
July 17, 2026

[read complete report – pdf]

Audit Objective 

Did Town of Amherst (Town) officials properly secure user account access to the network? 

Audit Period 

January 1, 2023 – May 1, 2025 

Understanding the Audit Area 

A computer network is a group of connected computer systems that can communicate with each other, often for the purposes of accessing, sharing, maintaining and managing information stored on connected systems. A town relies on its network for daily business functions, such as maintaining financial records including employees’ personnel and payroll records which contain personal, private and sensitive information (PPSI).1 To minimize the risk of unauthorized network access, town officials must properly secure user account access to the town’s network. A secured network can help protect employees’ and residents’ PPSI, ensure the continuity of essential services and prevent financial losses from cyberattacks. 

The Director of Information Technology (IT Director) is responsible for managing the Town’s IT resources, including securing network access for 324 network user accounts and 92 network service accounts, managing hardware inventories, and overseeing the IT department composed of five individuals, including the Network Manager, responsible for overseeing the Town’s IT hardware and software installations. 

Audit Summary 

Town officials did not properly secure user account access to the network. As a result, the Town was exposed to an increased chance of unauthorized network access which could cause a variety of disruptions to the Town, ranging from minor operational disruptions to network outages or data breaches. 

IT department employees did not disable 11 unneeded network service accounts, two of which had administrative access. Additionally, the IT department did not receive a request to disable network user accounts for three departing employees for more than 30 days after the employee separated from the Town. The IT Director was not aware of the unneeded user and service accounts because he did not require IT department employees to perform a periodic review of network user account access. 

Additionally, IT department employees did not maintain an accurate and up-to-date IT hardware inventory list. Specifically, 30 virtual servers out of 272 devices reviewed were not included in the Town’s inventory list. Without proper IT inventory records, officials cannot be assured that they are aware of and have properly secured all the hardware that users could use to access the network. 

Sensitive IT control weaknesses were communicated confidentially to Town officials. 

The report includes five recommendations that, if implemented, will improve the Town’s IT practices to secure user account access to the network. Town officials generally agreed with our recommendations, and their response is included in Appendix B.

We conducted this audit pursuant to Article V, Section 1 of the State Constitution and the State Comptroller’s authority as set forth in Article 3 of the New York State General Municipal Law (GML). Our methodology and standards are included in Appendix C. 

The Town Board (Board) has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the findings and recommendations in this report should be prepared and provided to our office within 90 days, pursuant to Section 35 of GML. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make the CAP available for public review in the Town Clerk’s office.


1 PPSI is any information to which unauthorized access, disclosure, modification, destruction or use – or disruption of access or use – could have or cause a severe impact on critical functions, employees, customers, third parties or other individuals or entities.