NY State Comptroller DiNapoli Releases School District Audits
Arkport Central School District – Network Access Controls (2021M-162)
January 28, 2022
Quick Facts about the District:
| Enabled Network User Accounts | |
| Student | 489 |
| Non-Student | 259 |
| Total | 748 |
| IT Vendor Contract Services | |
| 2021 Expenditures | $602,824 |
Audit Period
July 1, 2020 – September 21, 2021
Audit Objective
Determine whether Arkport Central School District (District) officials ensured network access controls were secure.
Key Findings
District officials did not ensure that the District’s network access controls were secure.
- District officials did not establish written policies or procedures to add or disable user accounts and permissions.
- The District had 92 unneeded network user accounts and nine user accounts with unnecessary administrative permissions.
In addition, sensitive IT control weaknesses were communicated confidentially to officials.
Key Recommendations
- Establish written policies or procedures for managing network user accounts.
- Regularly review network user accounts and disable those that are unnecessary.
- Assess network user permissions on a regular basis and ensure that network user accounts provide users with appropriate permissions needed to perform their job duties.
District officials generally agreed with our recommendations and indicated they will take corrective action. Appendix B includes our comment on the District’s response.
Read the full report (pdf)
Nyack Union Free School District – Network User Accounts (2021M-113)
January 28, 2022
Quick Facts about the District:
| Network User Accounts Reviewed | |
| Staff | 464 |
| Non-Employee | 254 |
| Generic | 171 |
| Total | 889 |
Audit Period
July 1, 2018 – December 1, 2020
We extended the audit scope through March 15, 2021 to complete our IT testing.
Audit Objective
Determine whether Nyack Union Free School District (District) officials adequately managed and monitored network user accounts.
Key Findings
District officials did not ensure that network user accounts were adequately managed and monitored. Officials did not:
- Monitor compliance with the District’s computer acceptable use policy.
- Maintain a current authorized user list.
Sensitive information technology (IT) control weaknesses were communicated confidentially in a separate letter to officials.
Key Recommendations
- Monitor compliance with the computer acceptable use policy.
- Develop written procedures for managing system access that include periodically reviewing user access and disabling unnecessary network user accounts.
District officials agreed with our recommendations and indicated they will take and have taken corrective action.
Read the full report (pdf)