6G Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology
TABLE OF CONTENTS Page Report on Internal Controls Related to Information Technology Network and Network Security 1 Accounting Information System 2 Other Applications 3 Information Technology and Disaster Recovery Plan 4 Findings and Recommendations 5-10 Corrective Action Plan 10 R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years
Board of Education Putnam/Northern Westchester BOCES 200 BOCES Drive Yorktown Heights, New York 10598 We have been engaged by the Board of Education (the Board ) of Putnam/Northern Westchester BOCES (the BOCES ) to provide internal audit services with respect to the BOCES internal controls related to information technology for the period April 1, 2013 through June 30, 2013. The objectives of the engagement were to evaluate and report on the BOCES internal controls pertaining to information technology and to test for compliance with laws, regulations, and the BOCES Board policies and procedures. In connection with the following procedures, we have provided findings and recommendations for the internal controls related to information technology. Our procedures were as follows: Reviewed the BOCES policies, procedures, and practices with regards to the internal controls related to information technology; Interviewed key BOCES employees involved in the information technology processes; Performed a physical observation of the BOCES server rooms at the Yorktown Campus and the Fox Meadow Campus to verify the server rooms were properly secured and that the servers were reasonably protected from fire and floods; Reviewed the user permissions within the accounting information system to identify multiple active user accounts, generic user accounts, and possible permissions granted to various employees that may not be consistent with their job responsibilities; Performed a comparison of the master vendor file to the master employee file to identify possible conflicts of interest; Reviewed the master vendor file to verify that the master vendor file was complete, accurate, free of duplicate vendors, and up to date; and Reviewed the BOCES Technology Plan to determine that the Plan identified critical information technology infrastructure and equipment, established the most suitable recovery strategy for each application utilized by the BOCES, and identified those individuals responsible for overseeing the disaster recovery process. The results of our procedures are presented on the following pages.
Our procedures were not designed to express an opinion on the internal controls related to information technology, and we do not express such an opinion. As you know, because of inherent limitations of any internal control, errors or fraud may occur and not be prevented or detected by internal controls. Also, projections of any evaluation of the accounting system and controls to future periods are subject to the risk that procedures may become inadequate because of changed conditions. We would like to acknowledge the courtesy and assistance extended to us by personnel of the BOCES. We are available to discuss this report with the Board or others within the BOCES at your convenience. This report is intended solely for the information and use of the Board, the Audit Committee and the management of the BOCES and is not intended to be and should not be used by anyone other than those specified parties. Very truly yours, R.S. Abrams & Co., LLP August 19, 2013
NETWORK AND NETWORK SECURITY Firewalls and Intrusion Detection Systems A firewall is used to implement access control between two networks. It allows the authorized BOCES network users to access outside information while preventing those outside the BOCES from accessing the BOCES systems. The BOCES firewall consists of a combination of hardware and software that provide several layers of protection against intrusions. The first layer of firewall protection, WatchGuard, utilizes Unified Threat Management (UTM) appliance technology. In addition, the BOCES uses Symantec Enterprise Endpoint Protection. This high-end software is installed on key servers as well as every BOCES computer. It further verifies and protects information if it passes through the WatchGuard Firewall. Physical Security The BOCES Network Operations Center ( NOC ) is currently at the Yorktown Campus. In addition to the NOC there is a server room located at the Fox Meadow Campus. The Yorktown Campus server room is temperature controlled and uninterrupted power supply ( UPS ) units are in place to protect the BOCES equipment from an unexpected power disruption that could cause business disruption or data loss. Back-up Controls The BOCES utilizes many servers that back up nightly at 8 p.m. The BOCES also contracts with an outside vendor to backup all data, including WinCap data, nightly and stores it in two offsite locations in Virginia and Michigan. Network and Email Access Microsoft Exchange serves as the BOCES email server and the BOCES uses Active Directory for the authentication of network users. All access requests, changes to user permissions, additions of new employees and removal of terminated employees from Active Directory are executed by the Director of Technology or Network Manager. VPN A virtual private network ( VPN ) is a network that allows remote users to securely access the BOCES network using a public telecommunication infrastructure, such as the Internet. To gain access users must pass a password validation first with an RSA SecurID keycard (which updates passwords every minute) and then WatchGuard. After passing these two steps, users must input the proper Windows security password for that specific desktop to gain access. In addition to users being granted access from time to time, WinCap has VPN access. However, this access is limited to the WinCap server only. When WinCap needs VPN access to perform server maintenance, they must contact the Director of Technology to establish a window of time for performing maintenance. WinCap will then be granted VPN access for the agreed upon period of time and when this time expires, access will be terminated. The BOCES also uses Transport Layer Security which automatically provides cryptographic protocols to healthcare related vendor information, including emails, to provide security over confidential information. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 1
ACCOUNTING INFORMATION SYSTEM The BOCES utilizes WinCap as its Accounting Information System ( AIS ). This application was installed by WinCap and requires WinCap to perform application updates, database management and, if necessary, system restores. The following modules of WinCap were identified as being utilized by the BOCES (a brief description of the modules has been provided): o Accounting Maintains general ledger, accounts payable, budgetary accounting, receipts/revenue, encumbrances/purchasing, project/grant accounting; generates financial documents such as computer-generated checks, purchase orders, account and vendor histories, and assists with controls to maintain data integrity and balanced entries. o Payroll A payroll generation program that provides detailed employee records and custom generation of payroll. o Pay Authorization Module Sets up permissions to particular job functions. o Bid Module Maintains all bid information. o Employee Attendance Tracks sick, vacation and personal days histories for each employee. o Employee Benefits Benefits tracking. o Human Resource, Appointments Maintains all employee data, including educational and PDP credits, observations and evaluations, fingerprint tracking, retirement data and emergency medical information. Passwords The BOCES should have procedures in place to periodically verify its system of controls are working as intended, are still needed, and are cost effective, including a review of the controls over access to information systems. Access to computerized files and transactions should be restricted to authorized individuals only. This can be accomplished with the use of passwords and software that restricts users' access and can help ensure that only authorized individuals utilize the computer system. Permissions A good internal control framework requires the BOCES management to develop a system of controls that includes proper segregation of duties of the BOCES operations. A proper segregation of duties should exist not only in manual processes, but also within the AIS. WinCap allows the IT Administrator and the School Business Administrator to restrict access to functions specific to job descriptions. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 2
OTHER APPLICATIONS eschooldata eschool Data is the student data management application currently utilized by the BOCES, which allows the BOCES to track attendance, behavior, and grades by student. The system also provides a course catalog, graduation planning, a grade book, and assists the BOCES in preparing required reports submitted to the New York State Education Department. The entire system is web-based, which allows teachers, instructional administrators, instructional clerical staff, and parents to access student information. Further restrictions are applied to the individuals user privileges to ensure that only authorized users are seeing specific information (i.e. teachers only have access to enter attendance and grades; all other functions are restricted). IEP Direct and BOCES Direct IEP Direct is the special education student management application currently utilized by the BOCES. In addition, BOCES Direct is used in conjunction with IEP Direct and is used strictly for the billing portion. IEP and BOCES Direct are web-based applications that are used to track student IEP s, evaluations, meetings, billings for services and assists school districts with the preparation of New York State required reports. Additionally, IEP Direct enables the preparation of STAC forms by the appropriate school district. IEP Direct also facilitates the BOCES compliance with applicable privacy laws and regulations. XEN Direct XEN Direct is currently utilized by the BOCES for the continuing education, adult education and adult literacy programs. XEN Direct is a web-based application that is used to track student attendance and grade reporting. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 3
INFORMATION TECHNOLOGY AND DISASTER RECOVERY PLANS Information Technology Plan The purpose of the BOCES Technology Plan is to define and outline the steps necessary to prepare students for challenges and opportunities in their educational endeavors by providing the best possible technology environment. The BOCES Technology Plan discusses the BOCES plans for architecture, hardware, software, staff training, implementation, and evaluation. The current Technology Plan covers a three-year period from 2010 through 2013. Disaster Recovery Plan Disaster recovery planning is a subset of a larger process known as business continuity planning and includes planning for resumption of applications, data, hardware, communications (such as networking), and other information technology infrastructure. While the BOCES would like to ensure zero data loss and zero time loss in the event of a disaster, the costs associated with that level of protection may be impractical. The BOCES Technology Plan is comprised of several sections that document the procedures and resources that are to be followed and used in the event that a disaster occurs at the BOCES. The sections of the Technology Plan are as follows: o Current Status; o Network Infrastructure; o Software; o Administrative Applications; o Student Management Systems; o Access; o Training and Support; and o Goals & Objectives, Implementation Strategies, and Evaluation Plans. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 4
FINDINGS AND RECOMMENDATIONS Based on our interviews, observations, and detailed testing, we have provided our findings and recommendations below to further strengthen the BOCES internal controls as they pertain to information technology processes and procedures outlined above. It should be noted that these recommendations are provided to the BOCES to assist management in improving the BOCES internal controls and procedures relating to information technology. It is important to note that our findings and recommendations are directed toward the improvement of the system of internal controls and should not be considered a criticism of, or reflection on, any employee of the BOCES. Policies and Procedures Procedure Performed: We reviewed the BOCES policies to determine whether the BOCES has adopted the legally required policies with regards to information technology. Result: BOCES has the minimum required policies; Confidentiality of IEP s (Policy #6330), Internet Safety (Policy #7260), and Information Security Breach and Notification (Policy #4590). Procedure Performed: We reviewed the BOCES policies and procedures to determine whether the BOCES has adopted the recommended policies and procedures per the Office of the State Comptroller with regards to information technology. Finding: We noted that the BOCES has a Technology Plan (the Plan ) for 2010-2013 that includes areas such as a disaster recovery plan, data backup systems, physical controls, and remote access controls. In addition, BOCES utilizes Symantec s Enterprise Level Endpoint protection for anti-virus protection. However, the Plan does not outline procedures for anti-virus protections or password security as recommended by the Office of the State Comptroller. Recommendation: We recommend that the BOCES expand their Technology Plan to include procedures for anti-virus protection and password security. BOCES Corrective Action Plan: BOCES accepts the recommendation to expand our Technology Plan to include procedures for anti-virus and password security. While we currently utilize anti-virus protection and password security as integral components of our Information Technology security environment, we agree that it is practical to formally outline these procedures in our Technology Plan. Proposed Implementation Date: 11/13/2013 Responsible Party: Director of Information Technology R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 5
Procedure Performed: We reviewed the BOCES procedures with regards to the internal controls related to information technology. Findings: We noted that the BOCES does not periodically review audit trail reports within WinCap for user activity to identify any errors or activity that appears to be unusual. Additionally, we noted that the BOCES does not review the user security profile change report within WinCap, which includes a login/logout report, to identify unusual user changes and/or users who may be logging into the financial software at unusual times. Recommendation: We recommend that the BOCES implement procedures to review audit trails. We also recommend that the BOCES periodically review the user security profile change report within WinCap to identify unusual user information changes and ensure users are not accessing the financial software at unusual times. Additionally, we recommend that these reviews be documented and maintained on file within the business office. BOCES Corrective Action Plan: BOCES accepts the recommendation to periodically review the user security profile change report within WinCap. This report will be reviewed quarterly to ensure securities are appropriate. These reports will be kept on file in the Business Office. BOCES does not accept the recommendation to implement procedures to review WinCap audit trails. The incredible volume of activities and transactions executed on the WinCap system within even the shortest of periods, makes a review of these activities impractical. We believe a mitigating control would be a comprehensive initial review of user rights, combined with periodic reviews of the user security change report as identified above. Proposed Implementation Date: 4/1/2014 Responsible Party: School Business Administrator Procedure Performed: We reviewed the BOCES policies, procedures, and practices with regard to information technology in cash management. Finding: We noted that the BOCES does not utilize a computer dedicated solely for processing wire transfers as recommended by the Office of the State Comptroller. Recommendation: We recommend that the BOCES have one computer utilized solely for processing wire transfers. This will help minimize the computer s exposure to attacks that could compromise sensitive BOCES information. BOCES Corrective Action Plan: BOCES does not accept the recommendation to have one computer utilized solely for processing wires. We believe that the current authentication process required before any machine can be utilized, provides BOCES with a level of security that is enhanced from the single computer model. In addition, we believe bank website userid and password requirements, the use of RSA key tags, and second level approval requirements for wire activities, collectively creates a sound control environment. Finally, we believe the demands and work schedules of those involved, as well as the potential for building closures, makes the single computer model an ineffective solution for us at the current time. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 6
Network Operating Center and Server Room Procedure Performed: We physically inspected the BOCES NOC (Network Operating Center) at the Yorktown Heights campus to verify that it is properly secured behind a locked door, temperature is suitably regulated and that the equipment is reasonably protected from fire and floods. Findings: While observing the Yorktown Heights Campus NOC we noted that the temperature is regulated manually by the BOCES personnel and there is no warning system to notify the BOCES personnel if the temperature exceeds the recommended heat level. Recommendation: We recommend that the BOCES implement automatic temperature controls in addition to a warning system to notify the Information Technology department if the temperature exceeds a specified level. BOCES Corrective Action Plan: BOCES accepts the recommendation to implement automatic temperature controls in addition to a warning system to notify the Information Technology department if the temperature exceeds a specified level. Our Information Technology, Operations and Maintenance, and Business Office departments will work together to find a cost effective and efficient solution for BOCES. Proposed Implementation Date: 10/31/13 Responsible Party: Director of Information Technology Procedure Performed: We physically inspected the server room at the Fox Meadow Campus to verify that the room is properly secured, temperature is suitably regulated and that the equipment is reasonably protected from fire and floods. Findings: While observing the Fox Meadow Campus, we noted the server room is not temperature controlled by a programmable air conditioned cooling device and does not contain a temperature regulation device to establish warning thresholds if the temperature exceeds the recommended heat level. We also noted that this server room does not have a fire detection system in place as required by the National Fire Protection Association Standard for the Protection of Information Technology Equipment (NFPA 75) nor does is it contain fire suppression devices (i.e. fire extinguishers). Lastly, we noted this server room is not connected to a backup power supply generator which can lead to system failure in the event of a catastrophic event. Recommendations: We recommend that the BOCES install a fire detection system at the Fox Meadow Campus server room, at a minimum, to be compliant with the National Fire Protection Association Standard for the Protection of Information Technology Equipment (NFPA 75). We also recommend the Fox Meadow Campus server room be equipped with a fire suppression device to limit damages in the event a fire occurs and with a programmable air conditioned cooling device to prevent over heating of the IT hardware housed within this room. Lastly, we R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 7
recommend that the BOCES either install a temperature monitoring system or put procedures in place to regularly inspect the temperature inside both the Yorktown Campus and Fox Meadow Campus server rooms in the event that temperatures rise above acceptable levels. BOCES Corrective Action Plan: BOCES will review the recommendation and develop a corrective action plan following additional analysis and consultation with our Audit Committee. This corrective action plan will be in place within 90 days of receipt of the final audit report, as per Commissioner s Regulation 170.12. Proposed Implementation Date: 6/30/2014 Responsible Party: Director of Information Technology WinCap Permissions Procedure Performed: We reviewed the BOCES procedures for documenting changes to user access within WinCap, including additions, deletions and modifications. Finding: We noted that the BOCES does not have a formal procedure to document changes to user access. Recommendation: We recommend that the BOCES implement a request form documenting any changes to user access within WinCap, and that the change form be authorized and approved. BOCES Corrective Action Plan BOCES accepts the recommendation to implement a request form documenting changes to user access in part. With time and resources at a premium, we believe a written form would be an inefficient use of both. With the ability to change user security rights limited to the Chief Information Officer, Director of Business Affairs, and School Business Administrator, we believe sufficient management authorization is obtained at the time of the update. As means to address the recommendation though, we will employ a process whereby the requestor will be asked to make a formal request via an email to the intended security administrator. If approved, the security administrator in question will act upon the request, reply to the requestor via email, and copy the other two security administrators for their awareness. Procedure Performed: We reviewed the user permissions within WinCap to identify multiple active user accounts, generic user accounts, and possible permissions granted to employees that may not be consistent with their job responsibilities. Finding: We noted three individuals who have two active user accounts within WinCap. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 8
Recommendation: We recommend that the BOCES ensure that each individual who has access to WinCap be given only one active user account. BOCES Corrective Action Plan: BOCES does not accept the recommendation to limit each individual to only one active WinCap account. A small number of users have been given a second userid for backup support functions only. While these user rights could be incorporated in the user s primary account, we have found that a second account makes it easier to track the user s activities within this support function. As such, we believe this actually improves our controls posture. Procedure Performed: We compared a list of employees who have separated from the BOCES service during the 2012-2013 fiscal year to the active user permissions within WinCap. Finding: We noted that the BOCES has properly inactivated users who have separated from the BOCES. BOCES Corrective Action Plan Not Needed Findings: We noted the following example of segregation of duties violations within WinCap where a BOCES employee has access to various accounting functions and no audit trail or other compensating control was performed: The Junior Administrative Assistant has the ability to perform cash receipts, journal entries, payroll processing and enter accounts receivable; Recommendation: We recommend that the BOCES review its current permissions in WinCap and create a system of controls that ensures the proper segregation of duties and restrict access where necessary, or perform a compensating control. In addition, if an employee functions as a backup to another employee, permissions should be temporarily granted and then taken away as needed. BOCES Corrective Action Plan: BOCES accepts the recommendation to review its current permissions in WinCap and create a system of controls to ensure proper segregation of duties and restrict access where necessary, or perform a compensating control. We will do so through a methodical review of all user rights assigned. We also agree that if an employee is providing short-term backup support outside of their normal job responsibilities, permissions should be temporarily granted and taken away as needed. If this support is more regular though, we will continue to explore the creation of a second userid, with rights restricted to those essential for the backup support function. Proposed Implementation Date: 4/1/2014 Responsible Party: School Business Administrator R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 9
Vendor/Employee Match Procedure Performed: We performed a comparison of the master vendor file to the master employee file to identify possible conflicts of interest. Finding: We found two employees that had the same address as a vendor (different name from the employee) as a result of applying this procedure. Recommendation: We recommend that the BOCES review the employee and vendor information to determine if there is a conflict of interest. BOCES Corrective Action Plan: BOCES accepts the recommendation to review employee and vendor information to determine if there is a conflict of interest. Following an initial comprehensive review, a vendor change report will be given to the Claims Auditor with each check warrant. This will allow the Claims Auditor to review for potential conflicts of interest. Any potential conflicts of interest will be discussed with the Director of Business Affairs or School Business Administrator. Proposed Implementation Date: 10/15/13 Responsible Party: School Business Administrator Vendor Master File Procedure Performed: We reviewed the master vendor file to verify that the master vendor file is complete, accurate, free of duplicate vendors, and up to date. Finding: We noted several vendors that have the same name but two different vendor numbers. Recommendation: We recommend the BOCES update the master vendor file establishing one vendor number for each vendor. BOCES Corrective Action Plan: BOCES accepts the recommendation to update the master vendor file establishing one vendor number for each vendor. This recommendation has been put into practice with the advent of the ability to create multiple vendor remit addresses for the same vendor number. We will work to remove old duplicates from the vendor table. Proposed Implementation Date: 1/1/2014 Responsible Party: School Business Administrator Procedure Performed: We reviewed the BOCES procedures for documenting changes to vendor data within WinCap, including additions, deletions and modifications. R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 10
Finding: We noted that the BOCES does not have a formal procedure to document changes to vendor data. Recommendation: We recommend that the BOCES implement a request form documenting any changes to vendor information within WinCap, and that the change form be authorized and approved. BOCES Corrective Action Plan: BOCES will review the recommendation and develop a corrective action plan following additional analysis and consultation with our Audit Committee. This corrective action plan will be in place within 90 days of receipt of the final audit report, as per Commissioner s Regulation 170.12. Disaster Recovery Plan Procedure Performed: We interviewed the Information Technology Director with regards to the BOCES Disaster Recovery Plan to determine if it identifies critical information technology infrastructure and equipment, establishes the most suitable recovery strategy for each major application utilized by the BOCES, and identifies those individuals responsible for overseeing the disaster recovery process. Finding: BOCES has not adopted a formal Disaster Recovery Plan, but has a Technology Plan in place. The Technology Plan identifies critical information technology infrastructure and equipment, however it does not establish the most suitable recovery strategy for each major application utilized by the BOCES or identify those individuals responsible for overseeing the disaster recovery process. Recommendation: We recommend the BOCES adopt a formal Disaster Recovery Plan to establish the most suitable recovery strategy for each major application utilized by the BOCES, and identify those individuals responsible for overseeing the disaster recovery process. BOCES Corrective Action Plan: BOCES accepts the recommendation to adopt a formal Disaster Recovery Plan to establish the most suitable recovery strategy for WinCap and identify those individuals responsible for overseeing the disaster recovery process. While we currently have a recovery plan in place, we agree that it is practical to formally outline these procedures in a Disaster Recovery Plan. With over 500 individual applications in use, we do not accept the recommendation to complete this process for each application. We have analyzed our environment and believe that WinCap is our most mission critical application, and as such, are focusing our efforts accordingly. Proposed Implementation Date: 6/30/2014 Responsible Party: Director of Information Technology R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 11
CORRECTIVE ACTION PLAN The BOCES is required to prepare a corrective action plan in response to any findings contained in the internal audit reports. As per Commissioner s Regulation 170.12, a corrective action plan, which has been approved by the Board, must be submitted to the State Education Department within 90 days of the receipt of a final internal audit report. The approved corrective action plan and a copy of the respective internal audit report should be sent to the following address: New York State Education Department Office of Audit Services, Room 524 EB 89 Washington Avenue Albany, New York 12234 Attention: John Cushin R.S. Abrams & Co, LLP Accountants & Consultants for Over 75 Years Page 12