O FFICE OF THE NEW YORK STATE COMPTROLLER DIVISION OF LOCAL GOVERNMENT & SCHOOL ACCOUNTABILITY Voorheesville Central School District Internal Controls Over Online Banking and Personal, Private, and Sensitive Information Report of Examination Period Covered: July 1, 2008 May 4, 2010 2010M-195 Thomas P. DiNapoli
Table of Contents AUTHORITY LETTER 2 Page EXECUTIVE SUMMARY 3 INTRODUCTION 4 Background 4 Objective 4 Scope and Methodology 4 Comments of District Officials and Corrective Action 4 ONLINE BANKING 6 Recommendations 8 PERSONAL, PRIVATE, AND SENSITIVE INFORMATION 9 Recommendation 10 APPENDIX A Response From District Officials 11 APPENDIX B Audit Methodology and Standards 14 APPENDIX C How to Obtain Additional Copies of the Report 16 APPENDIX D Local Regional Office Listing 17 DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 11
State of New York Division of Local Government and School Accountability February 2011 Dear School District Officials: A top priority of the is to help school district officials manage their districts efficiently and effectively and, by so doing, provide accountability for tax dollars spent to support district operations. The Comptroller oversees the fiscal affairs of districts statewide, as well as districts compliance with relevant statutes and observance of good business practices. This fiscal oversight is accomplished, in part, through our audits, which identify opportunities for improving district operations and Board of Education governance. Audits also can identify strategies to reduce district costs and to strengthen controls intended to safeguard district assets. Following is a report of our audit of the Voorheesville Central School District, entitled Internal Controls Over Online Banking and Personal, Private, and Sensitive Information. This audit was conducted pursuant to Article V, Section 1 of the State Constitution and the State Comptroller s authority as set forth in Article 3 of the General Municipal Law. This audit s results and recommendations are resources for district officials to use in effectively managing operations and in meeting the expectations of their constituents. If you have questions about this report, please feel free to contact the local regional office for your county, as listed at the end of this report. Respectfully submitted, Offi ce of the State Comptroller Division of Local Government and School Accountability 2 OFFICE OF THE NEW YORK STATE COMPTROLLER
State of New York EXECUTIVE SUMMARY The Voorheesville Central School District (District) is governed by the Board of Education (Board) which comprises seven elected members. The Board is responsible for the general management and control of the District s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board. Scope and Objective The objective of our audit was to assess the District s internal controls over online banking and personal, private, and sensitive information (PPSI) for the period July 1, 2008, to May 4, 2010. Our audit addressed the following related questions: Are internal controls over online banking appropriately designed and operating effectively? Are internal controls over PPSI appropriately designed and operating effectively? Audit Results The District did not have a banking agreement with each bank that it uses for electronic transfers. In addition, the Treasurer s method of accessing the banking websites is not secure. As a result, District funds are at risk of loss and misuse. Based on our testing, we found no inappropriate or unauthorized transfers of District funds. District officials have not developed procedures to properly sanitize computer equipment before disposal. As a result, PPSI under the District s control is at risk of misuse. Comments of District Officials The results of our audit and recommendations have been discussed with District officials and their comments, which appear in Appendix A, have been considered in preparing this report. District officials agreed with our recommendations and indicated they have already begun to initiate corrective action. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 33
Introduction Background The Voorheesville Central School District (District) is located in the Village of Voorheesville in Albany County. The District is governed by the Board of Education (Board) which comprises seven elected members. The Board is responsible for the general management and control of the District s financial and educational affairs. The Superintendent of Schools (Superintendent) is the chief executive officer of the District and is responsible, along with other administrative staff, for the day-to-day management of the District under the direction of the Board. The Board has designated the Superintendent to certify District payroll. The Assistant Superintendent for Business (Assistant Superintendent) oversees all functions within the Business Office, including the Treasurer, who is responsible for cash receipts and disbursements, and the payroll clerk who is responsible for processing all payrolls. There are three schools in operation within the District, with approximately 1,200 students and 260 full-and part-time employees. The District s budgeted expenditures for the 2009-10 fiscal year were approximately $21.7 million, which were funded primarily with real property taxes and State aid. Objective The objective of our audit was to assess the District s internal controls over online banking and personal, private, and sensitive information (PPSI). Our audit addressed the following related questions: Are internal controls over online banking appropriately designed and operating effectively? Are internal controls over PPSI appropriately designed and operating effectively? Scope and Methodology We assessed the internal controls of the District over online banking and PPSI for the period July1, 2008, to May 4, 2010. We conducted our audit in accordance with generally accepted government auditing standards (GAGAS). More information on such standards and the methodology used in performing this audit is included in Appendix B of this report. Comments of District Officials and Corrective Action The results of our audit and recommendations have been discussed with District officials and their comments, which appear in Appendix A, have been considered in preparing this report. District officials 4 OFFICE OF THE NEW YORK STATE COMPTROLLER
agreed with our recommendations and indicated they have already begun to initiate corrective action. The Board has the responsibility to initiate corrective action. Pursuant to Section 35 of the General Municipal Law, Section 2116-a (3)(c) of the Education Law and Section 170.12 of the Regulations of the Commissioner of Education, a written corrective action plan (CAP) that addresses the findings and recommendations in this report must be prepared and provided to our office within 90 days, with a copy forwarded to the Commissioner of Education. To the extent practicable, implementation of the CAP must begin by the end of the next fiscal year. For more information on preparing and filing your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. The Board should make the CAP available for public review in the District Clerk s office. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 55
Online Banking 6 OFFICE OF THE NEW YORK STATE COMPTROLLER Online banking provides a means of direct access to moneys held in the District s accounts. It is an immediate way to review current account balances and account information, review recent transactions, transfer moneys between bank accounts, and transfer moneys to external accounts. Local governments are allowed to disburse or transfer funds in their custody by means of electronic or wire transfer. Wire transfers of funds typically involve significant amounts of money. For that reason, it is important for the processing of wire transfers to be controlled to help prevent unauthorized transfers from occurring. Having an online banking agreement with each financial institution that the District uses for electronic transfers reduces the risk of unauthorized transfers. Establishing appropriate procedures to securely access banking websites also helps to reduce the risk of unauthorized transfers. The processing of wire transfers should be controlled to help prevent unauthorized transfers from occurring. Appropriate controls over wire transfers include management authorization of a transfer before the transaction is initiated. This authorization should be supported by documentation itemizing the purpose, source, destination and amount of the transfer to be made. Also, prior to transferring any funds, the bank should confirm each transfer request with a District official other than the person making the request. To help detect any unauthorized wire transfers, management should routinely review and reconcile wire transfer activity. The Board adopted a written policy related to approving, initiating, documenting, reconciling, and monitoring wire transfers. However, the District did not have a banking agreement with each bank that it uses for electronic transfers. In addition, the Treasurer s method of accessing the banking websites is not secure. As a result, District funds are at risk of loss and misuse. Based on our testing, we found no inappropriate or unauthorized transfers of District funds. Banking Agreement Per General Municipal Law, 1 the online banking agreement should prescribe the manner in which electronic or wire transfers will be accomplished, identify the names and numbers of the bank accounts from which electronic or wire transfers may be made, identify which individuals are authorized to request an electronic or wire transfer of funds, and implement a security procedure as defined in Uniform Commercial Code, Section 4-A- 201. This latter requirement includes a procedure established by 1 General Municipal Law Section 5-a
agreement with the bank for the purpose of verifying that a payment order is that of the entity and detecting errors in transmission or the content of the payment order. The District conducts online banking with three separate banks but it makes electronic transfers with only two of them. The District has an online banking agreement with only one of the two banks that it uses to make electronic transfers. We reviewed that agreement and found that it appropriately prescribes the manner in which electronic or wire transfers will be accomplished, identifies the individual that is authorized to request an electronic or wire transfer, and outlines a security procedure. The agreement identifies the names and numbers of the bank accounts from which electronic or wire transfers may be made. The lack of an online banking agreement with the second bank places District assets at increased risk of loss. Access to Bank Website When accessing banking websites, it is important for the user to type the bank s website address into the Internet browser s address bar each and every time the website is accessed. A link, such as an Internet favorite, must never be used to reach a bank s website. Users should also not allow the computer or web browser to save log-in names or passwords because it increases the likelihood that someone with malicious intent could access the saved names and passwords. Additionally, it is essential to erase the web browser cache, temporary Internet files, cookies, and history after an online banking session is completed so that if the computer is compromised, that information will not be on the computer to be stolen by a hacker or malware program. Access to the bank website is not adequately secured. We observed that the Treasurer used a link from the District website to access the bank s website. We also found that the Treasurer did not erase the web browser cache, temporary Internet files, cookies, or history after the online banking session. As a result, the District is at higher risk for financial losses. Because of the inherent risks associated with wire transfers, we reviewed 15 online bank transfers made in the 2008-09 and 2009-10 fiscal years, totaling $8,856,437, 2 to determine whether they were preauthorized, were for valid District purposes, and if there was secondary approval when required. We found that the 15 transfers had documentation showing that the transfers were authorized by the Assistant Superintendent or other authorized District employee prior 2 We selected 15 online bank transfers totaling $8,856,437 from District online banking reports and District bank statements. These transfers were judgmentally selected to include samples from all District banks, multiple bank accounts, and a range of different amounts. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 77
to the transfers being made by the Treasurer, the transfers were for legitimate District purposes, and, when necessary, the transfers had the authorization of a secondary official of the District. In addition, the 15 transfers had supporting documentation indicating that the transactions were subsequently reviewed and reconciled by a District official. We did not find any inappropriate or unauthorized transfers. Recommendations 1. District officials should ensure that they have an adequate online banking agreement with each of their banks that addresses electronic or wire transfers. 2. District officials should establish access procedures that prohibit the practices of using Internet favorites or links to access a bank s website. Also, the web browser cache, temporary Internet files, cookies, and history should be erased after every online banking session. 8 OFFICE OF THE NEW YORK STATE COMPTROLLER
Personal, Private, and Sensitive Information District officials and employees collect, process, transmit, store, and/ or report a considerable amount of personal, private, and sensitive information (PPSI) in the normal course of business. The privacy of information is a major concern because the number of breaches of PPSI has grown dramatically throughout the world over the past few years resulting in the exposure of millions of records. Breaches have resulted in numerous individuals suffering identity theft and credit card fraud and in many organizations experiencing a loss of public trust and incurring legal liability. A 2006 Federal Trade Commission Survey 3 stated that approximately 8.3 million adults discovered they were victims of some form of identity theft in 2005. Good governance and accountability require the Board to adopt policies and procedures to safeguard PPSI against unauthorized access, misuse, and improper disclosure of sensitive data. Therefore, sensitive and confidential information and software must be safeguarded throughout its useful life. Such information must be cleared from computer hard drives, disks, and other equipment and media before they are disposed of or transferred to another use. Organizations need to have a plan that clearly describes the organization s security management program and the policies and procedures that support it, including procedures for the secure disposal of electronic information. District officials have not developed procedures to properly sanitize computer equipment before disposal. The District s hard drives (and other storage devices) are not cleaned and sanitized when disposed of. The District has not established policies and procedures regarding the disposal or reassignment of computer equipment and the eradication of the sensitive information stored on those computers and media. The District leases a large portion of its computer equipment from the Northeastern Regional Information Center (NERIC). Before surrendering the equipment back to NERIC, District officials do not take any measures to remove sensitive data that may have been stored on hard drives. If sensitive/confidential information is not fully sanitized, it may be recovered and inappropriately used or disclosed by individuals who have access to the discarded or transferred equipment and media. 3 2006 Identity Theft Survey Report http://www.ftc.gov/os/2007/synovate Final ReportIDTheft2006.pdf DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 99
Recommendation 3. District officials should establish policies and procedures for the proper sanitizing of computer data from all equipment and media prior to the transfer or disposition of these items. 10 OFFICE OF THE NEW YORK STATE COMPTROLLER
APPENDIX A RESPONSE FROM DISTRICT OFFICIALS The District officials response to this audit can be found on the following pages. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 1111
12 OFFICE OF THE NEW YORK STATE COMPTROLLER
DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 13
APPENDIX B AUDIT METHODOLOGY AND STANDARDS Our overall goal was to assess the adequacy of the internal controls put in place by officials to safeguard District assets. To accomplish this, we performed an initial assessment of the internal controls so that we could design our audit to focus on those areas most at risk. Our initial assessment included evaluations of the following areas: financial oversight, cash receipts and disbursements, purchasing, payroll and personal services, and the information technology system. During the initial assessment, we interviewed appropriate District officials, performed limited tests of transactions and reviewed pertinent documents, such as District policies and procedures manuals, Board minutes, and financial records and reports. In addition, we obtained information directly from the computerized financial databases and then analyzed it electronically using computer-assisted techniques. This approach provided us with additional information about the District s financial transactions as recorded in its databases. Further, we reviewed the District s internal controls and procedures over the computerized financial databases to help ensure that the information produced by such systems was reliable. After reviewing the information gathered during our initial assessment, we determined where weaknesses existed, and evaluated those weaknesses for the risk of potential fraud, theft and/or professional misconduct. Based on that evaluation we determined that controls appeared to be adequate and limited risk existed in most of the financial areas we reviewed. We then decided on the reported objectives and scope by selecting for audit those areas most at risk. We selected online banking and PPSI for further audit testing. For the area of online banking: We interviewed appropriate District personnel. We examined District computers and observed how District officials performed certain online banking activities and functions. We examined the following records: bank statements, journal entry approval forms, minutes of the Board, third-party service agreements, and the District s policy manual. We traced 15 online bank transfers from District bank accounts to receiving accounts. For the area of PPSI: We interviewed appropriate District personnel. We examined the District s policy manual, confidentiality statements, and the District s website to identify elements of PPSI. We assessed the physical security of employee medical records and District laptop computers. 14 OFFICE OF THE NEW YORK STATE COMPTROLLER
We conducted this performance audit in accordance with generally accepted government auditing standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 15
APPENDIX C HOW TO OBTAIN ADDITIONAL COPIES OF THE REPORT To obtain copies of this report, write or visit our web page: Public Information Office 110 State Street, 15th Floor Albany, New York 12236 (518) 474-4015 http://www.osc.state.ny.us/localgov/ 16 OFFICE OF THE NEW YORK STATE COMPTROLLER
APPENDIX D OFFICE OF THE STATE COMPTROLLER DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY Steven J. Hancox, Deputy Comptroller LOCAL REGIONAL OFFICE LISTING ALBANY REGIONAL OFFICE Kenneth Madej, Chief Examiner 22 Computer Drive West Albany, New York 12205-1695 (518) 438-0093 Fax (518) 438-0367 Email: Muni-Albany@osc.state.ny.us Serving: Albany, Columbia, Dutchess, Greene, Schenectady, Ulster counties HAUPPAUGE REGIONAL OFFICE Ira McCracken, Chief Examiner NYS Office Building, Room 3A10 Veterans Memorial Highway Hauppauge, New York 11788-5533 (631) 952-6534 Fax (631) 952-6530 Email: Muni-Hauppauge@osc.state.ny.us Serving: Nassau, Suffolk counties BINGHAMTON REGIONAL OFFICE State Office Building, Room 1702 44 Hawley Street Binghamton, New York 13901-4417 (607) 721-8306 Fax (607) 721-8313 Email: Muni-Binghamton@osc.state.ny.us Serving: Broome, Chenango, Cortland, Delaware, Otsego, Schoharie, Sullivan, Tioga, Tompkins counties NEWBURGH REGIONAL OFFICE Christopher Ellis, Chief Examiner 33 Airport Center Drive, Suite 103 New Windsor, New York 12553-4725 (845) 567-0858 Fax (845) 567-0080 Email: Muni-Newburgh@osc.state.ny.us Serving: Orange, Putnam, Rockland, Westchester counties BUFFALO REGIONAL OFFICE Robert Meller, Chief Examiner 295 Main Street, Suite 1032 Buffalo, New York 14203-2510 (716) 847-3647 Fax (716) 847-3643 Email: Muni-Buffalo@osc.state.ny.us Serving: Allegany, Cattaraugus, Chautauqua, Erie, Genesee, Niagara, Orleans, Wyoming counties GLENS FALLS REGIONAL OFFICE One Broad Street Plaza Glens Falls, New York 12801-4396 (518) 793-0057 Fax (518) 793-5797 Email: Muni-GlensFalls@osc.state.ny.us Serving: Clinton, Essex, Franklin, Fulton, Hamilton, Montgomery, Rensselaer, Saratoga, Warren, Washington counties ROCHESTER REGIONAL OFFICE Edward V. Grant, Jr., Chief Examiner The Powers Building 16 West Main Street Suite 522 Rochester, New York 14614-1608 (585) 454-2460 Fax (585) 454-3545 Email: Muni-Rochester@osc.state.ny.us Serving: Cayuga, Chemung, Livingston, Monroe, Ontario, Schuyler, Seneca, Steuben, Wayne, Yates counties SYRACUSE REGIONAL OFFICE Rebecca Wilcox, Chief Examiner State Office Building, Room 409 333 E. Washington Street Syracuse, New York 13202-1428 (315) 428-4192 Fax (315) 426-2119 Email: Muni-Syracuse@osc.state.ny.us Serving: Herkimer, Jefferson, Lewis, Madison, Oneida, Onondaga, Oswego, St. Lawrence counties DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 17