Get documents about "ithaca
W
Shared by: chrstphr
Categories
Tags
new york, state government, legislation, state of new york legislature, dmv, bills, rules, public, reports, fiscal, issues, policy, studies, legal, schedules, documents, state house, impact, pdf, doc, laws, school district, nyc, new york city, new york city council, gov, assembly, new york senate, taxes, governor
-
Stats
- views:
- 15
- posted:
- 12/3/2009
- language:
- English
- pages:
- 32
Document Sample
OFFICE OF THE NEW YORK STATE COMPTROLLER
D IVISION OF LOCAL GOVERNMENT
& SCHOOL ACCOUNTABILITY
Ithaca
City School District
Internal Controls Over
Selected Financial Operations
and Potential Cost Savings
Report of Examination
Period Covered:
July 1, 2006 — May 29, 2008
2008M-237
Thomas P. DiNapoli
Table of Contents
Page
AUTHORITY LETTER 3
EXECUTIVE SUMMARY 4
INTRODUCTION 6
Background 6
Objectives 6
Scope and Methodology 7
Comments of District Officials and Corrective Action 7
PROCUREMENT 8
Procurement Policy 8
Competitive Bidding 9
Purchase Orders 10
Recommendations 11
CASH RECEIPTS AND DISBURSEMENTS 12
Segregation of Duties 12
Treasurer’s Signature Disk 13
Claims Auditing 14
Recommendations 15
INFORMATION TECHNOLOGY 16
Cost Savings 16
Disaster Recovery Plan 17
Passwords 17
User Access Rights 18
Recommendations 19
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 1
1
Table of Contents
Page
APPENDIX A Goods and Services Purchased That Circumvented
the Purchase Order System 20
APPENDIX B Weighted Average Electricity Demand 21
APPENDIX C Potential Kilowatt-Hour Savings 22
APPENDIX D Response From District Officials 23
APPENDIX E Audit Methodology and Standards 27
APPENDIX F How to Obtain Additional Copies of the Report 30
APPENDIX G Local Regional Office Listing 31
2 OFFICE OF THE NEW YORK STATE COMPTROLLER
State of New York
Office of the State Comptroller
Division of Local Government
and School Accountability
January 2009
Dear School District Officials:
A top priority of the Office of the State Comptroller is to help school district officials manage their
districts efficiently and effectively and, by so doing, provide accountability for tax dollars spent to
support district operations. The Comptroller oversees the fiscal affairs of districts statewide, as well
as districts’ compliance with relevant statutes and observance of good business practices. This fiscal
oversight is accomplished, in part, through our audits, which identify opportunities for improving
district operations and Board of Education governance. Audits also can identify strategies to reduce
district costs and to strengthen controls intended to safeguard district assets.
Following is a report of our audit of the Ithaca City School District, entitled Internal Controls Over
Selected Financial Operations and Potential Cost Savings. This audit was conducted pursuant to Article
V, Section 1 of the State Constitution, and the State Comptroller’s authority as set forth in Article 3 of
the General Municipal Law.
This audit’s results and recommendations are resources for district officials to use in effectively
managing operations and in meeting the expectations of their constituents. If you have questions about
this report, please feel free to contact the local regional office for your county, as listed at the end of
this report.
Respectfully submitted,
Office of the State Comptroller
Division of Local Government
and School Accountability
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 3
3
State of New York
Office of the State Comptroller
EXECUTIVE SUMMARY
The Ithaca City School District (District) is governed by the Board of Education (Board) which
comprises nine elected members. The Board is responsible for the general management and control of
the District’s financial and educational affairs. The Superintendent of Schools (Superintendent) is the
chief executive officer of the District and is responsible, along with other administrative staff, for the
day-to-day management of the District under the direction of the Board.
The Board appointed two purchasing agents to ensure that the District adheres to General Municipal
Law (GML) and District policies and procedures when procuring goods and services. The Treasurer is
the District’s chief accounting officer and is responsible for properly accounting for all District moneys
and for signing District checks. The District utilizes the Onondaga-Cortland-Madison Counties Board
of Cooperative Educational Services (OCM BOCES) to affix the Treasurer’s signature to District
checks using a facsimile signature that is automatically printed onto the District’s blank check stock.
The Board did not appoint a claims auditor, but instead retains the powers and duties of approving or
disapproving claims against the District.
The District utilizes a computerized network to account for its financial operations.
Scope and Objectives
The objectives of our audit were to evaluate the internal controls over selected financial activities to
ensure that District assets were properly safeguarded for the period July 1, 2006 to May 29, 2008, and
to determine if the District could reduce costs related to utilities. Our audit addressed the following
related questions:
• Did District officials and employees provide for adequate controls over procurement in order
to safeguard District assets?
• Did District officials provide for adequate controls over cash receipts and disbursements?
• Did District officials provide for adequate protection and economical use of the District’s
information technology system?
Audit Results
The Board needs to improve its oversight to ensure that District assets are properly safeguarded and
ensure that the District looks for ways to institute cost-saving measures. We found that internal controls
4 OFFICE OF THE NEW YORK STATE COMPTROLLER
need to be improved in the areas of procurement, cash receipts and disbursements, and information
technology.
The District’s written procurement policy does not include specific procedures to follow for obtaining
requests for proposals (RFPs), written quotations, or verbal quotations and the circumstances when
each method should be used. We also found that the purchasing agents did not always ensure that the
District adhered to GML and District policies when procuring goods and services. We determined that
the District did not competitively bid purchases totaling $268,864 as required by GML. The District
also overspent an approved bid by a total of $43,311 during our audit period. Additionally, we found
that the use of purchase orders was not consistent. We found that the District paid 60 invoices totaling
$65,032 prior to District personnel preparing purchase orders for these purchases.
District officials did not segregate the Treasurer’s cash receipts duties or implement other compensating
controls during the majority of our audit period. In addition, the Treasurer did not supervise and control
the use of her facsimile signature, and was not notified when her signature was applied to accounts
payable checks. Our examination of cash receipts and cash disbursements did not disclose any material
discrepancies. The Board did not audit claims during our audit period, and had not appointed a claims
auditor. As a result, District officials made payments without an original invoice and made improper
payments that included movie charges on lodging reimbursements and sales tax.
We found that the District could save $40,100 annually if power management features were
implemented regarding the power settings of District computers. In addition, we found that the Board
has not established a formal disaster recovery plan to protect the District’s data and systems in the
event of a disaster. Furthermore, the District does not require the computer network connection to time
out (terminate) after a reasonable period of inactivity. District officials have not established policies
and procedures to effectively limit users’ access based on the needs of their particular jobs.
Comments of District Officials
The results of our audit and recommendations have been discussed with District officials and their
comments, which appear in Appendix D, have been considered in preparing this report. District officials
generally agreed with our recommendations and indicated they planned to initiate corrective action.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 5
5
Introduction
Background The Ithaca City School District (District) is located in the City of
Ithaca and ten towns in Tompkins and Tioga Counties. The District
is governed by the Board of Education (Board) which comprises
nine elected members. The Board is responsible for the general
management and control of the District’s financial and educational
affairs. The Superintendent of Schools (Superintendent) is the chief
executive officer of the District and is responsible, along with other
administrative staff, for the day-to-day management of the District
under the direction of the Board.
There are 12 schools in operation within the District, with
approximately 5,400 students and approximately 1,200 employees.
The District’s budgeted expenditures for the 2007-08 fiscal year were
approximately $91.1 million, which were funded primarily with State
aid, real property taxes, and grants.
The Board appointed two purchasing agents to ensure that the District
adheres to General Municipal Law (GML) and District policies and
procedures when procuring goods and services. The Treasurer is the
District’s chief accounting officer and is responsible for properly
accounting for all District moneys. The District utilizes the Onondaga-
Cortland-Madison Counties Board of Cooperative Educational
Services (OCM BOCES) to print District checks.
The District utilizes a computerized network to account for its
financial operations.
Objectives The objectives of our audit were to evaluate the internal controls over
selected financial activities to ensure that District assets were properly
safeguarded and to determine if the District could reduce costs related
to utilities. Our audit addressed the following related questions:
• Did District officials and employees provide for adequate
controls over procurement in order to safeguard District
assets?
• Did District officials provide for adequate controls over cash
receipts and disbursements?
• Did District officials provide for adequate protection and
economical use of the District’s information technology
system?
6 OFFICE OF THE NEW YORK STATE COMPTROLLER
Scope and Methodology We examined the District’s internal controls over procurement, cash
receipts and disbursements, and IT for the period July 1, 2006 to May
29, 2008. Our audit found that certain District controls over information
technology needed improvement. Because of the sensitivity of this
information, specific vulnerabilities are not discussed in this report
but have been communicated separately to District officials so they
could take corrective action.
We conducted our audit in accordance with generally accepted
government auditing standards (GAGAS). More information on such
standards and the methodology used in performing this audit are
included in Appendix E of this report.
Comments of District The results of our audit and recommendations have been discussed
Officials and Corrective with District officials and their comments, which appear in Appendix
Action D, have been considered in preparing this report. District officials
generally agreed with our recommendations and indicated they
planned to initiate corrective action.
The Board has the responsibility to initiate corrective action. Pursuant
to Section 35 of the General Municipal Law, Section 2116-a (3)(c)
of the Education Law, and Section 170.12 of the Regulations of the
Commissioner of Education, a written corrective action plan (CAP)
that addresses the findings and recommendations in this report must
be prepared and forwarded to our office within 90 days. To the extent
practicable, implementation of the CAP must begin by the end of
the next fiscal year. For more information on preparing and filing
your CAP, please refer to our brochure, Responding to an OSC Audit
Report, which you received with the draft audit report. The Board
should make the CAP available for public review in the District
Clerk’s office.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 7
7
Procurement
The objectives of a procurement process are to obtain services, materials,
supplies or equipment of the desired quality, specified quantity, and
at the lowest price in compliance with applicable Board and legal
requirements. A main component of the District’s internal controls
relates to purchasing policies and procedures. The Board is responsible
for developing and adopting purchasing policies in accordance with
GML that help safeguard the District’s assets and ensure the prudent
and economical use of District moneys when procuring goods and
services. In turn, the Superintendent and purchasing agents are
responsible for developing purchasing procedures to achieve the
expectations of the Board-adopted policies. The District’s “Purchase
Requests” policy states “no individual may commit the District to
any purchase whatsoever without strict adherence to the procedures
established by the Assistant Superintendent for Business.” The
procedures established by the Assistant Superintendent for Business
included the use of a purchase order system. A properly functioning
purchase order system is effective in controlling expenditures because
it confirms that the fiscal officer was aware of and authorized the
procurement.
Although the District had a written policy relating to the procurement
of goods and services that were not subject to competitive bidding, we
found that the policy was inadequate because it did not provide specific
procedures to follow when procuring such goods and services, i.e., the
number of quotes or requests for proposals (RFPs) required for various
dollar limits. We also found that the District purchased various goods
and services without going through the required competitive bidding
process. In addition, we found that District officials circumvented the
purchase order system by purchasing goods prior to the approval of
a purchase order.
Procurement Policy District officials are required to adopt written policies and procedures
to ensure that the purchase of goods and services is performed in
a manner to ensure both the prudent and economical use of public
moneys. A good procurement policy establishes standards for the
methods of competition when soliciting non-bid procurements and
should contain, at a minimum, requirements that quotations for goods
and services be secured by use of written RFPs, written quotations,
or verbal quotations and the circumstances when each method shall
be used.
Although the District established a written procurement policy, it
does not include specific procedures to follow for obtaining RFPs,
8 OFFICE OF THE NEW YORK STATE COMPTROLLER
written quotations, or verbal quotations and the circumstances when
each method should be used. District officials told us that they were
unaware that they had to develop these additional standards for non-
bid procurements.
By not establishing policies and procedures that require obtaining
multiple proposals, written quotations, or verbal quotations when
competitive bidding is not required, the District cannot be certain that
they are securing goods and services of the desired quality and at the
lowest price.
Competitive Bidding Soliciting competition helps to ensure that contracts are entered into
in a manner which is in the best interest of the public. The appropriate
use of competition provides taxpayers with the greatest assurance that
goods and services are procured in the most prudent and economical
manner and that goods and services of desired quality are being acquired
at the lowest possible price. Competitive bidding is required when
an item or commodity group exceeds dollar limits established under
GML. Current dollar thresholds require school districts to advertise
for bids for purchase contracts in excess of $10,000 and public work
contracts in excess of $20,000, annually. It is the purchasing agents’
responsibility to ensure that the District adheres to GML and District
policies when procuring goods and services.
The purchasing agents did not ensure that the District adhered to GML
and District policies when procuring goods and services because
they did not competitively bid for purchases from vendors that,
when combined, aggregated to amounts that exceeded competitive
bidding thresholds. We reviewed 92 claims paid to 13 vendors
totaling $474,431 that exceeded statutory bid limits to determine if
competitive bidding was required. We determined that 85 claims paid
to 11 of these vendors totaling $410,120 were subject to competitive
bidding because like items purchased throughout the year aggregated
to competitive bidding thresholds. We found exceptions with 75 of
these claims totaling $312,175 that were paid to five vendors:
• The District did not appropriately bid 61 claims totaling
$268,864 that were paid to four vendors for purchases outlined
in the chart below. The total annual dollar amounts paid for
these items exceeded the competitive bidding thresholds,
and the total payments to vendors were therefore subject to
competitive bidding requirements.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 9
9
July 1, 2007 to
Item 2006-07 Total
May 29, 2008
Fuel $79,520 $47,488 $127,008
Website and Multimedia $50,813 $63,786 $114,599
Maintenance
Floor Scrubber NA $14,369 $14,369
Window Blinds $12,888 NA $12,888
Totals $143,221 $125,643 $268,864
• Additionally, the District accepted a bid from one vendor for
audio-visual equipment inventory and maintenance for $3,700
in both 2006-07 and 2007-08. However, District officials paid
14 claims to this vendor in excess of the approved bid amount
by $7,138 in 2006-07 and $36,173 in 2007-08, for a total excess
payment of $43,311. District officials did not recognize the
excess payments as biddable because the payments exceeded
bidding thresholds over multiple transactions that were made
during both fiscal years.
Without proper adherence to laws and established policies and
procedures, the District cannot be sure that they are securing goods
and services in the most economical manner and in the best interest
of District taxpayers.
Purchase Orders Effective controls over purchasing also include the consistent use
of a purchase order system. A purchase order serves as the source
document for vendor payment claims entered into the District’s
accounting system. A fiscal or accounting officer must typically
certify the availability of funds before issuing the purchase request
to the vendor for the goods or services. A properly functioning
purchase order system is effective in controlling expenditures
because it confirms that the fiscal officer is aware of and authorizes
the procurement, and eliminates “surprises” when vendor bills arrive.
Although the District’s procurement policy does not require the use of
purchase orders, District personnel use a purchase order system1 when
procuring goods and services. In addition, the District’s “Purchase
Requests” policy states “no individual may commit the District to
any purchase whatsoever without strict adherence to the procedures
established by the Assistant Superintendent for Business.”
1
In this system, a department head or building principal must complete and approve a
purchase requisition form; an account clerk must verify that sufficient appropriations
are available and approve the requisition form; a second account clerk would then
input the approved requisition into the financial system and create five copies of a
purchase order — two to the vendor, one to the accounts payable clerk, and two to
the requisitioner.
10 OFFICE OF THE NEW YORK STATE COMPTROLLER
We found that the use of purchase orders was not followed consistently.
We reviewed 105 invoices totaling $420,002 for purchases of goods
and services, and found that the District paid 54 invoices totaling
$59,794 prior to District personnel preparing purchase orders for
these purchases.2 In addition, we reviewed 10 credit card claims
totaling $7,344 and found that the District paid six claims totaling
$5,238 prior to the requisition form date. This practice involved a
District staff member placing a verbal order with a vendor, and then
preparing a purchase order after the purchase was made. Since this
process circumvents review and approval by a fiscal officer before
goods are ordered, District officials did not adhere to their “Purchase
Requests” policy.
District staff members were able to order goods prior to the purchase
order being approved because District officials did not strictly enforce
the consistent use of a purchase order system. Circumvention of the
purchase order system can result in purchasing unnecessary and/or
overpriced goods and services.
Recommendations 1. The Board should amend its procurement policy to include specific
procedures to follow for obtaining RFPs, written quotations,
or verbal quotations and the circumstances when each method
should be used.
2. The purchasing agents should bid items when required by GML.
3. District officials should strictly enforce the consistent use of a
purchase order system to ensure that purchase orders are prepared
prior to the ordering and purchasing of goods and services.
2
See Appendix A for a listing of goods and services purchased on these 54
invoices.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 11
11
Cash Receipts and Disbursements
The Board has the fiduciary responsibility to oversee the District’s
financial affairs and ensure that assets are safeguarded properly
and financial affairs are performed in accordance with statutory
and regulatory requirements as well as prudent business practices.
District management is responsible for implementing the Board’s
control directives by designing and documenting appropriate
operating policies and procedures, and properly delineating employee
responsibilities to ensure that cash is properly safeguarded. Such
policies and procedures include providing for the adequate segregation
of financial duties and ensuring that cash disbursements are properly
authorized and made for legitimate District purposes. In addition, the
Board or its appointed claims auditor must audit all claims against
the District prior to payment to verify that they are valid District
expenses.
We found that the District had not properly segregated financial duties
and that the Treasurer did not control the use of her signature. Although
our tests did not identify any improper payments, the District should
correct these control weaknesses to reduce the risk of unauthorized
payments or the misuse of cash receipts. We also found that neither
the Board nor a Board-appointed claims auditor audited claims during
our audit period. As a result, the District paid more than $21,000 for
expenses that may not have been valid District costs.
Segregation of Duties A key to ensuring that District moneys are properly safeguarded is
to segregate financial duties so that one person may not control all
phases of a transaction. In general, the transaction approval function,
the accounting function and the asset custody function should be
separated. For example, one person should not be able to collect cash,
record receipts, and make deposits. If it is not feasible for officials
to adequately segregate conflicting duties that are assigned to one
individual, then District officials should ensure that compensating
controls are in place to protect assets. These controls could include
having someone review the individual’s work.
We found that the District officials did not segregate the Treasurer’s
duties or implement other compensating controls during the majority
of our audit period. The Treasurer collected cash, recorded receipts,
and prepared and made deposits from July 2006 through March 2008.
In addition, even though one of the Business Manager’s managerial
responsibilities is ensuring that the Treasurer properly accounts for
all District moneys, we found that no one reviewed the Treasurer’s
work.
12 OFFICE OF THE NEW YORK STATE COMPTROLLER
Due to the lack of segregation of duties during the majority of our
audit period, we reviewed 296 cash receipts totaling $100.6 million
to ensure that they were properly received, recorded and deposited
timely and intact and reviewed ten bank-to-book reconciliations
to ensure they were prepared monthly and agreed with accounting
records. We also performed various trend analyses and contacted the
Tompkins County Finance Manager to inquire about the collection of
District taxes. Our testing did not reveal any errors.
After we notified the District Treasurer and Superintendent of the
lack of segregation of duties, they immediately took corrective
action and assigned part of the Treasurer’s duties to other Business
Office staff. As of July 2008, a separate Business Office staff person
received all cash receipts and maintained a cash receipts log prior to
forwarding the cash receipts to the Treasurer. In addition, this staff
person also compared bank receipts for District deposits to her cash
receipts log to ensure all cash receipts were deposited. We believe
that the District has now adequately segregated the cash receipts and
disbursement duties.
Treasurer’s Signature Disk As the District official responsible for signing checks, the Treasurer
plays a critical role in the cash disbursement process. The Treasurer
must ensure that her signature is not used to make payments that have
not been approved. Education Law requires the Treasurer’s actual or
facsimile signature be affixed to District checks by the Treasurer or
affixed under the Treasurer’s direct supervision. It is also important
for the Treasurer to then compare the signed checks with a certified
warrant for accuracy and consistency before the checks are issued.
The Treasurer did not supervise and control the use of her facsimile
signature disk, nor was she notified when her signature was applied to
accounts payable checks. Three staff at OCM BOCES have the ability
to apply the Treasurer’s signature to checks, and a District account
clerk then mails the signed checks to vendors. This procedure does
not allow the Treasurer to have direct supervision and control over
the signature process, nor does it allow her to verify the accuracy
and consistency of the printed accounts payable checks prior to their
distribution. In addition, the Treasurer occasionally prepares hand-
drawn checks for various reasons. In these instances, the Treasurer
prepares the check, manually signs the check, and records the check
information in the financial system as a “manual” check. No one
reviews her work.
Due to these control weaknesses, we reviewed certain cash
disbursements to ensure they were appropriate District expenditures.
We reviewed 377 hand-drawn checks totaling $24.2 million, 241
accounts payable checks and their associated claims and warrants
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 13
13
totaling $3.1 million, 14 bank transfers totaling $11.2 million, nine
cash activities on bank statements totaling $779,100 and 20 journal
entries with credits to cash totaling approximately $66.8 million. Our
examination did not disclose any material discrepancies.
The Treasurer told us that she believed that other controls, such
as maintaining minimal cash balances in the District’s checking
accounts; reviewing a list of checks printed by OCM BOCES; and
performing bank-to-book reconciliations, were sufficient to mitigate
the risk of a potential misapplication of her electronic signature on
District checks. However, the current check-printing procedure does
not allow the Treasurer to have direct supervision and control over
the signature process, nor does it allow her to verify the accuracy
and consistency of the printed accounts payable checks prior to their
distribution. The failure to ensure that adequate controls are in place
over the Treasurer’s signature disk increases the risk that unauthorized
people may be able to disburse District funds for improper purposes.
The failure to review manual checks prepared, signed and recorded
by the Treasurer also increases the risk that District funds could be
misused.
Claims Auditing An integral part of a good internal control system includes conducting
a proper audit of claims before making payments to determine that the
claims are valid, legal and represent necessary District obligations.
New York State Education Law states that no claim against a school
district, with specific exceptions, shall be paid until it has been
audited and approved. The Board is responsible for establishing an
effective claims auditing system to ensure there is a deliberate and
thorough audit of all claims prior to payment. The Board may adopt a
resolution to appoint a claims auditor, who then assumes the powers
and duties of the Board with respect to the approval and disapproval
of claims against the District. The Board or Board-appointed claims
auditor should also sign-off on a warrant, a detailed listing of bills
ready for payment by the Treasurer, to indicate all claims have been
audited and approved.
Although the Board adopted a policy in June 1974 requiring the audit
of claims prior to their payment, we found that the Board did not
audit claims during our audit period or appoint a claims auditor for
that purpose. In addition, no one signed off on a listing of checks to
indicate that the bills were ready for payment because no one had
audited the claims and approved them for payment by the Treasurer.
Due to the lack of this internal control over claims payment, we tested
63 claims totaling approximately $423,000 and found deficiencies in
claims totaling $21,596:
14 OFFICE OF THE NEW YORK STATE COMPTROLLER
• Nine claims totaling $21,432 did not have an original
invoice attached.
• One claim for the reimbursement to an employee for the
purchase of a District laptop included sales tax of $136.
• Two claims included expenses that were for questionable
purposes. These claims were lodging reimbursements to
a District employee and a Board member that included a
movie charge of $14.05 and a television service charge of
$14.03.
Because the Board failed to provide for the proper audit of District
claims, the District paid for expenses that may not have been
authorized and necessary District costs.
Recommendations 4. The Treasurer should supervise the use of her signature disk
and control and review the checks to which her signature is
applied.
5. District officials should ensure that someone independent of
the cash receipts and disbursements process review the manual
checks prepared by the Treasurer.
6. The Board should audit claims made against the District or
appoint a claims auditor in accordance with New York State
Education Law.
7. The Board or its appointed claims auditor should ensure that
claims are for legitimate District expenses and are properly
documented before approving them for payment. The Board or
its appointed claims auditor must also certify a warrant to direct
the Treasurer to pay the claims after they have been audited and
approved.
8. The Board or its appointed claims auditor should not pay any
claims that include sales tax.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 15
15
Information Technology
District officials rely on an IT system for, among other functions,
maintaining financial data and records. Therefore, the IT system
and the data it stores are valuable District resources. The Board is
responsible for adopting policies to safeguard computerized data and
assets. The Superintendent and the IT Director are then responsible
for developing procedures and practices to meet the expectations
set in the Board’s policies. These policies, procedures, and practices
should all be designed towards securing data and ensuring business
continuity in the most economical means possible.
The IT Director has not required that power management features
be enabled for its computer technology equipment to save electricity
and money. In addition, the IT Director has not effectively addressed
the safeguarding of computerized data and assets by establishing and
monitoring policies and procedures. Specifically, the Superintendent
and IT Director have not developed procedures and practices relating
to a formal disaster recovery plan, network time-outs after a period
of inactivity, and the review of user access rights. These weaknesses
significantly increase the risk that sensitive or mission-critical data
and assets could be lost, compromised, or damaged.
Cost Savings To ensure optimal electricity savings, computers should only be
turned on when in use. Most computer technology is equipped with
power management features which, if enabled, can save electricity
and money. Enabling power management features and directing users
to turn off the computers during certain daily/weekly times helps
minimize the electricity demand and expense to the District.
Using an automated ping test3 during the 2008-09 school year,
District IT staff calculated and reported to us that an average of
705 computers were powered on during non-work hours4 for a
randomly selected seven-day period. During the summer months
of 2008, an automated ping test during another randomly selected
seven-day period indicated that an average of 403 computers were
powered on during non-work hours. IT staff told us that the only
power management settings that District officials used were power
save options on the monitors and such options are not utilized on
3
A ping test is a computer network tool used to determine if a particular host is
reachable across a network.
4
For the purpose of this report the term non-work hours will mean 16 out of 24
hours. We believe it is reasonable that machines would be used for the eight hours
that school is in session. We considered non-work hours to mean 24 hours during
weekend days and established holidays.
16 OFFICE OF THE NEW YORK STATE COMPTROLLER
any of the 2,753 total central processing units (CPUs) for computers
throughout the district. IT staff told us that their current practice was
to leave CPUs powered on so they would be available to have updates
installed to them. We included the District’s additional reasoning in a
confidential IT memo to District officials because of security issues.
The table in Appendix B illustrates the typical electricity demand for
the major computer models at the District by setting type, which we
obtained using an electricity usage monitor. We determined that the
District could realize cost savings of approximately $35,500 per school
year (approximately 285,383 kilowatt-hour (kWh) savings multiplied
by $0.1244 cost per kWh) by reducing its electricity consumption.
Additionally, if the District properly powered down its computers
during the summer months, it could have saved approximately $4,600
(approximately 37,228 kWh savings multiplied by $0.1244 cost
per kWh). This would save the District approximately $40,100 and
322,611 kWh annually. Appendix C illustrates kWh savings. Further,
the District can realize additional cost savings by properly enabling
power save settings that take effect during inactive periods throughout
the standard workday. The cost for implementation is almost zero, yet
the return provides a tangible savings to be used elsewhere in the
District.
Disaster Recovery Plan It is important that the Board establishes a comprehensive disaster
recovery plan to prevent the loss of computer equipment and data,
and provide procedures for recovery and precautions necessary to
minimize the effects of disaster, so that mission critical functions can
be maintained or quickly resumed. The Board must communicate the
plan to all District employees and periodically test it to ensure its
effectiveness.
Although the IT Director has begun implementing components of a
disaster recovery plan, the Board has not established a formal disaster
recovery plan to protect the District’s data and systems in the event of
a disaster. A formal disaster recovery plan has not been implemented
yet because the IT Director has not yet finalized the process for each
component of the plan. Consequently, in the event of a disaster, District
personnel have no guidelines to follow to help minimize or prevent
the loss of equipment and data or guidance on how to implement data
recovery procedures. If there was a disaster causing computer failure,
the problems could range from inconvenient to catastrophic. Even
small disruptions in electronic data systems can require extensive
employee and consultant hours to evaluate and repair.
Passwords Passwords are one of the most basic controls that can be utilized
to mitigate the risk of unauthorized users obtaining access to the
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 17
17
District’s computer systems. In order to protect confidentiality, an
effective system of internal controls would require users to change
passwords every 30 to 90 days. The internal control system would
also require that the computer network time-out after a reasonable
period of inactivity. An effective system of internal controls over
passwords can help prevent hackers from impersonating users and
can thereby help prevent the loss, exposure, or corruption of sensitive
information.
We found weaknesses in the District’s use of passwords, which we
communicated to District officials in a confidential IT memo because
of the sensitive nature of the findings. We also found that the District
does not require the computer network connection to time out
(terminate) after a reasonable period of inactivity. This allows users to
stay logged on to their computers throughout the day even when they
are away for extended periods, increasing the risk of unauthorized
access to District information including financial and other sensitive
data. We used a District-provided username and password to log on
to the District’s network and financial software; we were still logged
on after 90 minutes of inactivity.
The failure to enforce a time out after a reasonable period of inactivity
could allow unauthorized users access to the network. Such access
could result in damage, loss, or theft of District data and compromise
the integrity and ongoing operation of the information systems.
User Access Rights A basic management objective for any organization is the protection
of its information system and critical data from unauthorized access.
District officials should establish policies and procedures to effectively
limit user access to computerized data. The District should restrict
access to authorized users, based on the needs of their particular job
functions. For example, the Treasurer and senior account clerk should
be the only employees who have user access rights to perform journal
entries based on their assigned job duties. Having access controls
in place prevents users from being involved in multiple aspects of
financial transactions. In addition, controls should be in place to
deactivate user access rights to the network once a user is no longer
employed by the District.
District officials had inadequate controls in place to effectively limit
users’ access based on the needs of their particular jobs. We reviewed
the user access rights for the Business Office staff and determined that
their access rights were not consistent with their specific job functions.
For example, four employees (other than the Treasurer and senior
account clerk) had access rights to perform journal entries; payroll
department employees had access rights to certain accounts payable
functions; and the purchasing agent, whose electronic signature was
18 OFFICE OF THE NEW YORK STATE COMPTROLLER
applied to purchase orders upon approval, did not have access rights
to approve purchase orders. All of these access rights and permissions
were not consistent with assigned job duties.
We also found that the District had inadequate controls in place to
deactivate user access rights to the network once a user was no longer
employed by the District. We reviewed the user access rights of eleven
individuals who recently left District service and found that nine still
had active user accounts. In addition, two of these nine active users
actually logged onto the network after their termination date. District
officials explained that these two users were teachers who had retired
and then returned as substitute teachers. However, substitute teachers
should not have access to the District’s network.
IT staff members told us that there are no procedures in place to
review user access rights, and there are no policies stating how soon
after separation users should have their access deactivated. Because
of these control weaknesses, the District’s IT system and electronic
data were subject to increased risk that unauthorized activity could
have occurred and remained undetected and uncorrected.
Recommendations 9. The IT Director should enable energy conservation settings, such
as standby or hibernate mode, on all District computers in order
to reduce the District’s electricity consumption costs and ensure
all computers are powered off during periods of inactivity.
10. Once the IT Director fully implements all components of a disaster
recovery plan, the Board should adopt a comprehensive disaster
recovery plan that details specific guidelines for the protection of
private and essential data against damage, loss, or destruction.
11. District officials should establish and monitor policies and
procedures over network time outs after a reasonable period of
inactivity.
12. District officials should establish policies and procedures to
effectively limit user access to computerized data and deactivate
user accounts upon separation.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 19
19
APPENDIX A
GOODS AND SERVICES PURCHASED THAT CIRCUMVENTED
THE PURCHASE ORDER SYSTEM
Dollar Amount of Number of Invoices
Description of Goods/Services Purchased Goods/Services Pre-dating the
Purchased Purchase Orders
Summer Service and Safety Repair of
Electronics $12,447 14
Fuel Conditioner $8,819 5
Retainer for Media Services $5,430 1
Website Service $5,279 2
External Communication Plan Service $4,360 2
Clear Plastic Liners $3,074 1
Pumping of Septic Tanks at Elementary
School $2,970 1
Fuel Pump Parts $2,658 3
Reimbursement for Supplies $2,652 1
Services for Hearing Officer $2,150 1
Maintenance Shop Supplies $1,960 2
Reimbursement for Laptop Purchase $1,836 1
Telephones $1,185 2
Staff Lunches for Test Scoring $1,001 5
Hotels for Convention $891 3
Reimbursement for Software Purchases $750 1
Repairs for Vehicle Damaged by Bus $734 1
Reimbursement for Textbook Purchases $514 3
Server maintenance $500 1
Superintendent and Board Lunches5 $398 1
Pizza for Board Meetings $186 3
Totals $59,794 54
5
The District received reimbursement from Board members totaling $256 related to this invoice.
20 OFFICE OF THE NEW YORK STATE COMPTROLLER
APPENDIX B
WEIGHTED AVERAGE ELECTRICITY DEMAND
AVERAGE ELECTRICAL DEMAND OF COMPUTERS BY TYPE IN WATTS/HR
Computer Percent of Total Full Power
System Standby Shutdown Watts/Hr
Model Machines Mode Watts/Hr
A 2.04% 62 N/A 1
B 2.21% 97 7 4.5
C 2.47% 45 2 1.5
D 22.11% 97 7.5 2.5
E 11.22% 103 7 3
F 8.67% 91 39 2.5
G 3.49% 53.5 4 1
H 5.27% 45 3.5 2.5
I 4.34% 53.5 3 2
J 10.03% 45 2 1.5
K 4.59% 57.5 3.5 1
L 8.84% 53 2 1.5
M 2.13% 79.5 3 1
N 2.04% 57.5 N/A 0.5
O 3.32% 100 1.5 2
P 4.34% 119 N/A 1.5
Q 2.89% 76 N/A 0
Weighted
Average6 100% 77.36 7.14 2.01
6
Similarities exist among the power management settings of the computer models in use at the District; because of these
similarities we derived a weighted average benchmark for calculating potential cost savings.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 21
21
APPENDIX C
POTENTIAL KILOWATT-HOUR SAVINGS
In order to determine the amount of savings possible if power management practices were implemented,
we considered the District as fully operational with classroom instruction for approximately eight
hours per day. In addition, the 2008-09 District calendar establishes that there are 181 instructional
days or working weekdays. It also establishes 116 weekends and holidays (84 weekend days and 32
holidays) in which the District is closed to the majority of faculty and staff.
In addition to the normal school year, the District offers an extensive summer school program.
Therefore, we considered the District as fully operational with classroom instruction for approximately
eight hours per day during the summer months. We established that there were 48 working weekdays
and 20 weekend days during the summer months.
Using the above test results, we calculated the potential total kilowatt-hour (kWh) savings for a fiscal
year. The following table illustrates the estimated kWh usage of the actual number of District computers
that the IT staff reported to us as powered on during non-work hours in their current settings; the
optimal kWh usage by implementing energy conservation measures; and associated kWh daily and
annual savings available to the District.
Potential kWh Savings for the School Year
Estimated Current Optimal kWh Daily kWh School Year
kWh Usage/Day Usage/Day Savings kWh Savings
Instructional
Days 1,610.52 830.02 780.50 141,270
Weekend/
Holiday 1,303.82 61.46 1,242.36 144,113
TOTAL 2,914.34 891.48 2,022.86 285,383
Potential kWh Savings for the Summer Months
Estimated Current Optimal kWh Daily kWh Summer Months
kWh Usage/Day Usage/Day Savings kWh Savings
Instructional
Days 804.62 340.47 464.15 22,279
Weekend/
Holiday 772.67 25.21 747.46 14,949
TOTAL 1,577.29 365.68 1,211.61 37,228
22 OFFICE OF THE NEW YORK STATE COMPTROLLER
APPENDIX D
RESPONSE FROM DISTRICT OFFICIALS
The District officials’ response to this audit can be found on the following pages.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 23
23
24 OFFICE OF THE NEW YORK STATE COMPTROLLER
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 25
25
26 OFFICE OF THE NEW YORK STATE COMPTROLLER
APPENDIX E
AUDIT METHODOLOGY AND STANDARDS
Our overall goal was to assess the adequacy of the internal controls put in place by officials to safeguard
District assets. To accomplish this, we performed an initial assessment of the internal controls so
that we could design our audit to focus on those areas most at risk. Our initial assessment included
evaluations of the following areas: financial oversight, cash receipts and disbursements, purchasing,
payroll and personal services, and information technology.
During the initial assessment, we interviewed appropriate District officials, performed limited tests
of transactions and reviewed pertinent documents, such as District policies and procedures manuals,
Board minutes, and financial records and reports. In addition, we obtained information directly from
the computerized financial databases and then analyzed it electronically using computer-assisted
techniques. This approach provided us with additional information about the District’s financial
transactions as recorded in its databases. Further, we reviewed the District’s internal controls and
procedures over the computerized financial databases to help ensure that the information produced by
such systems was reliable.
After reviewing the information gathered during our initial assessment, we determined where
weaknesses existed, and evaluated those weaknesses for the risk of potential fraud, theft and/or
professional misconduct. We then decided upon the reported objectives and scope by selecting for audit
those areas most at risk. We selected procurement, cash receipts and disbursements, and information
technology for further audit testing.
To accomplish the objectives of this audit, we performed the following steps:
• We reviewed 51 claims constituting 78 purchase orders and 105 invoices totaling $420,000 to
determine if District officials obtained requisition forms and purchase orders where appropriate,
purchase orders were approved prior to the invoice date, and District officials signed for the
receipt of goods.
• We reviewed 10 credit card claims totaling $7,344 to determine if they were appropriate District
expenditures and included supporting documentation.
• We reviewed claims to 13 vendors to determine if they obtained bids where appropriate.
• We reviewed 51 claims totaling $420,000 to determine if they were audited, approved, listed on
warrants, mathematically accurate, and legitimate. We also determined if the original invoice
was attached, late payments were incurred, sales tax was paid, sufficient documentation was
provided, invoices matched claims, and goods were shipped to a District address.
• We reviewed 12 claims totaling $3,377 paid to District officials to determine if they were
accurate and appropriate.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 27
27
• We traced 377 hand-drawn check claims totaling $24.2 million from the General, Capital,
Special Aid, Health Benefits, and Trust funds to cancelled check images or voided checks.
• We traced all 14 bank transfers from April 2008 to and from District bank accounts totaling
$11.2 million to ensure the money was not transferred to non-District bank accounts.
• We compared information from ten checks on a listing of checks to claims and cancelled check
images totaling $6,676.
• We compared information from ten cancelled check images to claims and a listing of checks
totaling $10,221.
• We traced 20 checks indicated as “voided” in the accounting records to physical voided checks
totaling $56,769 to verify they were properly voided and maintained.
• We traced nine bank transactions from the 2007-08 school year totaling $779,066 to supporting
documentation to verify their appropriateness.
• We reviewed the General, Capital Project, Trust, Special Aid, and Health Benefits Funds bank-
to-book reconciliations for accuracy for the months of May 2007 and April 2008.
• We reviewed information from 140 capital projects fund checks totaling $2.6 million to
cancelled check images or voided checks to ensure they were not made out to the District
Treasurer.
• We reviewed 20 general journal entries during our audit period to verify their
appropriateness.
• We traced all general fund duplicate receipt forms from January, July, and November 2007
(211 receipt forms totaling approximately $87.9 million) to cash receipts journals and District
bank statements to verify moneys received were recorded and deposited timely and receipt
forms were issued in sequence.
• We verified that 50 New York State payments to the District totaling approximately $12.6
million were deposited in District bank accounts.
• We traced $63,657 in moneys received from an outside agency to the District’s duplicate receipt
forms and bank statements to ensure they were properly recorded and deposited.
• We contacted the Tompkins County Finance Manager to determine if any District taxpayers
had complained about the payment of their school tax bill.
• We traced donations totaling $82,100 noted in the Board minutes to District bank accounts to
ensure they were properly recorded and deposited.
28 OFFICE OF THE NEW YORK STATE COMPTROLLER
• We performed a trend analysis of moneys received from February 2007 to June 2007 and
compared it to a trend of moneys received from February 2008 to June 2008 to determine if
there were any significant variances.
• We performed a trend analysis of moneys received from a period in which the Treasurer was
on vacation and compared it to trends of moneys received just prior to and immediately after
the Treasurer’s vacation to determine if there were any significant variances.
• We reviewed user access rights to the financial software to determine if users had appropriate
access based on their job requirements.
• We obtained and tested a read-only user account to the network and financial software to
determine if there were adequate controls over passwords.
• We reviewed user accounts of a sample of 11 former employees to determine if the accounts
were deactivated timely upon their separation from District service.
• We reviewed the content of seven district computers to determine if employees used the
computers for inappropriate of personal use.
• We reviewed computer ping tests, energy bills, and utilized an electricity usage monitoring
device to determine potential cost savings if the District enabled computer power management
features and turned computers off during non-work hours.
• In order to verify that cost savings could be achieved by reducing the amount of electricity
used by the District’s computers, we tested the on/off status of District computers for two
periods of seven straight days (fourteen days total) during our audit period.
We conducted this performance audit in accordance with generally accepted government auditing
standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 29
29
APPENDIX F
HOW TO OBTAIN ADDITIONAL COPIES OF THE REPORT
To obtain copies of this report, write or visit our web page:
Office of the State Comptroller
Public Information Office
110 State Street, 15th Floor
Albany, New York 12236
(518) 474-4015
http://www.osc.state.ny.us/localgov/
30 OFFICE OF THE NEW YORK STATE COMPTROLLER
APPENDIX G
OFFICE OF THE STATE COMPTROLLER
DIVISION OF LOCAL GOVERNMENT
AND SCHOOL ACCOUNTABILITY
Steven J. Hancox, Deputy Comptroller
John C. Traylor, Assistant Comptroller
LOCAL REGIONAL OFFICE LISTING
BUFFALO REGIONAL OFFICE GLENS FALLS REGIONAL OFFICE
Robert Meller, Chief Examiner Karl Smoczynski, Chief Examiner
Office of the State Comptroller Office of the State Comptroller
295 Main Street, Suite 1032 One Broad Street Plaza
Buffalo, New York 14203-2510 Glens Falls, New York 12801-4396
(716) 847-3647 Fax (716) 847-3643 (518) 793-0057 Fax (518) 793-5797
Email: Muni-Buffalo@osc.state.ny.us Email: Muni-GlensFalls@osc.state.ny.us
Serving: Allegany, Cattaraugus, Chautauqua, Erie, Serving: Clinton, Essex, Franklin, Fulton, Hamilton,
Genesee, Niagara, Orleans, Wyoming counties Montgomery, Rensselaer, Saratoga, Warren, Washington
counties
ROCHESTER REGIONAL OFFICE ALBANY REGIONAL OFFICE
Edward V. Grant, Jr., Chief Examiner Kenneth Madej, Chief Examiner
Office of the State Comptroller Office of the State Comptroller
The Powers Building 22 Computer Drive West
16 West Main Street, Suite 522 Albany, New York 12205-1695
Rochester, New York 14614-1608 (518) 438-0093 Fax (518) 438-0367
(585) 454-2460 Fax (585) 454-3545 Email: Muni-Albany@osc.state.ny.us
Email: Muni-Rochester@osc.state.ny.us
Serving: Albany, Columbia, Dutchess, Greene,
Serving: Cayuga, Chemung, Livingston, Monroe, Schenectady, Ulster counties
Ontario, Schuyler, Seneca, Steuben, Wayne, Yates
counties
SYRACUSE REGIONAL OFFICE HAUPPAUGE REGIONAL OFFICE
Eugene A. Camp, Chief Examiner Jeffrey P. Leonard, Chief Examiner
Office of the State Comptroller Office of the State Comptroller
State Office Building, Room 409 NYS Office Building, Room 3A10
333 E. Washington Street Veterans Memorial Highway
Syracuse, New York 13202-1428 Hauppauge, New York 11788-5533
(315) 428-4192 Fax (315) 426-2119 (631) 952-6534 Fax (631) 952-6530
Email: Muni-Syracuse@osc.state.ny.us Email: Muni-Hauppauge@osc.state.ny.us
Serving: Herkimer, Jefferson, Lewis, Madison, Serving: Nassau, Suffolk counties
Oneida, Onondaga, Oswego, St. Lawrence counties
BINGHAMTON REGIONAL OFFICE
Patrick Carbone, Chief Examiner NEWBURGH REGIONAL OFFICE
Office of the State Comptroller Christopher Ellis, Chief Examiner
State Office Building, Room 1702 Office of the State Comptroller
44 Hawley Street 33 Airport Center Drive, Suite 103
Binghamton, New York 13901-4417 New Windsor, New York 12553-4725
(607) 721-8306 Fax (607) 721-8313 (845) 567-0858 Fax (845) 567-0080
Email: Muni-Binghamton@osc.state.ny.us Email: Muni-Newburgh@osc.state.ny.us
Serving: Broome, Chenango, Cortland, Delaware, Serving: Orange, Putnam, Rockland, Westchester
Otsego, Schoharie, Sullivan, Tioga, Tompkins counties
counties
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 31
31
Related docs
