February 20, 2021

Municipal and school district audits issued during the week ending February 19, 2021

New York State Comptroller Thomas P. DiNapoli announced the following municipal and school district audits were issued during the week ending February 19, 2021.

Click on the text highlighted in color to access the complete audit report

MUNICIPAL AUDITS

New York State Comptroller Thomas P. DiNapoli today announced the following local government and school district audits have been issued.

 

Village of Red Hook – Information Technology (Dutchess County) Officials did not adequately secure and protect the village’s information technology (IT) systems against unauthorized use, access and loss. The board also did not adopt required or sufficient IT policies, provide users with IT security awareness training, or develop a disaster recovery plan. Officials were unaware that employees were accessing websites for nonbusiness purposes because they did not routinely monitor employee Internet use. The IT consultant’s responsibilities were not defined and officials did not have a formal contract with the consultant. In addition, sensitive IT control weaknesses were communicated confidentially to officials.

 

Village of Pittsford – Audit Follow-Up Letter (Monroe County) In a previous report issued in July 21, 2017, auditors identified problems with the board’s oversight over the village’s financial operations. When auditors revisited the village in August 2020 to review progress, they found limited corrective actions had occurred. Of the seven audit recommendations, one recommendation was fully implemented, four recommendations were partially implemented and two recommendations were not implemented.

 SCHOOL DISTRICT AUDITS

Honeoye Falls Lima Central School District – Access Controls (Livingston County, Monroe County and Ontario County)   District officials did not ensure user access controls were appropriate and secure. Officials did not adopt key information technology (IT) security policies, resulting in increased risk that data, hardware and software may be lost or damaged by inappropriate use or access. Officials also did not regularly review network user accounts and permissions to determine whether they were appropriate or needed to be disabled.

In addition, sensitive IT control weaknesses were communicated confidentially to officials. Due to the COVID-19 pandemic, with the district‘s increased reliance on a remote learning environment and administrative operations, protecting IT assets is critical.