New York State Comptroller Thomas P. DiNapoli today announced the following local government and school audits were issued.
City of Salamanca – Collections (Cattaraugus County)
The city comptroller’s collections were not always accurately recorded and because adequate collection records were not always maintained, auditors could not determine whether deposits were generally made in a timely manner. Auditors reviewed 29 deposits totaling nearly $2 million that consisted of 1,835 entries made during the audit period and determined: 1,759 entries lacked a duplicate press-numbered receipt which precluded them from determining whether deposits were made in a timely manner. Another 34 entries totaling approximately $50,000 did not have the correct form of payment (cash or check) listed in the collection records and 26 entries totaling approximately $18,000 did not have either the correct check number included on the collection records, or no check number was listed at all. Auditors found no collections were lost, misused or misappropriated, but because complete and reliable collections were not always maintained, there is an increased risk of city collections being lost, misused or misappropriated.
Piseco Common School District – Authorized Investments (Hamilton County)
District officials did not invest in accordance with statutory requirements. As a result, district investments were at an increased risk of loss. District officials did not adhere to the district’s investment policy and invested $35,000 in an investment account that is not statutorily authorized. The board re-adopted its investment policy annually but did not ensure the district’s investments complied with the policy’s list of eligible investments. In addition, the board did not develop procedures to address investment requirements.
Village of Afton – Claims Auditing and Disbursements (Chenango County)
The board did not properly audit claims, and as a result, payments were made prior to audit, for unsupported claims and for inappropriate purposes. Of the 98 claims totaling $155,528 reviewed: 53 claims totaling $13,356 were paid prior to audit and one claim totaling $793 did not include adequate supporting documentation, such as itemized receipts. The village reimbursed the former mayor for two payments totaling $1,500 for the village’s accounting software that she paid for with her personal credit card. The village should not reimburse anyone other than current village officials or employees. In addition, auditors reviewed 50 disbursements totaling $11,480 and determined that the board did not properly monitor non-payroll disbursements. As a result, there is an increased risk that errors or inappropriate transactions could occur and remain undetected.
Beacon Central School District – Information Technology (IT) (Dutchess County)
District officials did not ensure network user accounts were adequately managed. Unnecessary enabled network user accounts are additional entry points into a network and, if accessed by attackers, could potentially be compromised or used for malicious purposes. In addition to sensitive IT control weaknesses that were communicated confidentially to district officials, auditors found that officials did not disable 281 unneeded network user accounts of the 1,280 accounts reviewed. The accounts included 153 student accounts, 89 nonstudent accounts, and 39 shared and service accounts.
Copiague Union Free School District – Information Technology (Suffolk County)
District officials did not properly manage nonstudent network user accounts and financial software access controls. As a result, data and personal, private and sensitive information accessible by those accounts were at a greater risk for unauthorized access, misuse or loss. Auditors found that officials did not disable 316 nonstudent network user accounts (24%) that were not needed, including two user accounts assigned to employees that left the district more than 17 years ago. In addition, the district did not ensure that employees had the appropriate access to the financial software necessary to perform their job functions or provide IT security awareness and data privacy training annually to all officials and employees with access to financial and other sensitive data.
OnTECH Charter High School – Information Technology (Onondaga County)
School officials did not ensure IT systems were adequately secured and protected against unauthorized use, access and loss. In addition to sensitive IT control weaknesses that were communicated confidentially to officials, the board and officials did not adequately manage user accounts and permissions. As a result, the six computers tested had unneeded user accounts and unnecessary administrative permissions. Officials also did not monitor Internet usage for compliance with the school’s acceptable use policy. As a result, there is an increased risk of school computers being exposed to malicious software. In addition, officials did not develop and adopt an IT contingency plan and provide staff with IT security awareness training.