Transcription
6GPutnam/NorthernWestchester BOCESInternal Audit Report onInformation Technology
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyTABLE OF CONTENTSPageReport on Internal Controls Related to Information TechnologyNetwork and Network Security1Accounting Information System2Other Applications3Information Technology and Disaster Recovery Plan4Findings and Recommendations5 - 10Corrective Action Plan10R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 Years
Board of EducationPutnam/Northern Westchester BOCES200 BOCES DriveYorktown Heights, New York 10598We have been engaged by the Board of Education (the “Board”) of Putnam/NorthernWestchester BOCES (the “BOCES”) to provide internal audit services with respect to theBOCES internal controls related to information technology for the period April 1, 2013 throughJune 30, 2013.The objectives of the engagement were to evaluate and report on the BOCES internal controlspertaining to information technology and to test for compliance with laws, regulations, and theBOCES’ Board policies and procedures.In connection with the following procedures, we have provided findings and recommendationsfor the internal controls related to information technology. Our procedures were as follows: Reviewed the BOCES’ policies, procedures, and practices with regards to the internalcontrols related to information technology; Interviewed key BOCES employees involved in the information technology processes; Performed a physical observation of the BOCES’ server rooms at the Yorktown Campusand the Fox Meadow Campus to verify the server rooms were properly secured and thatthe servers were reasonably protected from fire and floods; Reviewed the user permissions within the accounting information system to identifymultiple active user accounts, generic user accounts, and possible permissions granted tovarious employees that may not be consistent with their job responsibilities; Performed a comparison of the master vendor file to the master employee file to identifypossible conflicts of interest; Reviewed the master vendor file to verify that the master vendor file was complete,accurate, free of duplicate vendors, and up to date; and Reviewed the BOCES’ Technology Plan to determine that the Plan identified criticalinformation technology infrastructure and equipment, established the most suitablerecovery strategy for each application utilized by the BOCES, and identified thoseindividuals responsible for overseeing the disaster recovery process.The results of our procedures are presented on the following pages.
Our procedures were not designed to express an opinion on the internal controls related toinformation technology, and we do not express such an opinion. As you know, because ofinherent limitations of any internal control, errors or fraud may occur and not be prevented ordetected by internal controls. Also, projections of any evaluation of the accounting system andcontrols to future periods are subject to the risk that procedures may become inadequate becauseof changed conditions.We would like to acknowledge the courtesy and assistance extended to us by personnel of theBOCES. We are available to discuss this report with the Board or others within the BOCES atyour convenience.This report is intended solely for the information and use of the Board, the Audit Committee andthe management of the BOCES and is not intended to be and should not be used by anyone otherthan those specified parties.Very truly yours,R.S. Abrams & Co., LLPAugust 19, 2013
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyNETWORK AND NETWORK SECURITYFirewalls and Intrusion Detection SystemsA firewall is used to implement access control between two networks. It allows the authorizedBOCES’ network users to access outside information while preventing those outside the BOCESfrom accessing the BOCES’ systems. The BOCES’ firewall consists of a combination ofhardware and software that provide several layers of protection against intrusions. The first layerof firewall protection, WatchGuard, utilizes “Unified Threat Management” (UTM) appliancetechnology. In addition, the BOCES uses “Symantec Enterprise Endpoint Protection”. Thishigh-end software is installed on key servers as well as every BOCES computer. It furtherverifies and protects information if it passes through the WatchGuard Firewall.Physical SecurityThe BOCES’ Network Operations Center (“NOC”) is currently at the Yorktown Campus. Inaddition to the NOC there is a server room located at the Fox Meadow Campus. The YorktownCampus server room is temperature controlled and uninterrupted power supply (“UPS”) units arein place to protect the BOCES’ equipment from an unexpected power disruption that could causebusiness disruption or data loss.Back-up ControlsThe BOCES utilizes many servers that back up nightly at 8 p.m. The BOCES also contracts withan outside vendor to backup all data, including WinCap data, nightly and stores it in two offsitelocations in Virginia and Michigan.Network and Email AccessMicrosoft Exchange serves as the BOCES’ email server and the BOCES uses Active Directoryfor the authentication of network users. All access requests, changes to user permissions,additions of new employees and removal of terminated employees from Active Directory areexecuted by the Director of Technology or Network Manager.VPNA virtual private network (“VPN”) is a network that allows remote users to securely access theBOCES’ network using a public telecommunication infrastructure, such as the Internet. To gainaccess users must pass a password validation first with an “RSA SecurID” keycard (whichupdates passwords every minute) and then WatchGuard. After passing these two steps, usersmust input the proper Windows security password for that specific desktop to gain access. Inaddition to users being granted access from time to time, WinCap has VPN access. However,this access is limited to the WinCap server only. When WinCap needs VPN access to performserver maintenance, they must contact the Director of Technology to establish a window of timefor performing maintenance. WinCap will then be granted VPN access for the agreed uponperiod of time and when this time expires, access will be terminated. The BOCES also usesTransport Layer Security which automatically provides cryptographic protocols to healthcarerelated vendor information, including emails, to provide security over confidential information.R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 1
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyACCOUNTING INFORMATION SYSTEMThe BOCES utilizes WinCap aswas installed by WinCap andmanagement and, if necessary,identified as being utilized byprovided):its Accounting Information System (“AIS”). This applicationrequires WinCap to perform application updates, databasesystem restores. The following modules of WinCap werethe BOCES (a brief description of the modules has beeno Accounting – Maintains general ledger, accounts payable, budgetary accounting,receipts/revenue, encumbrances/purchasing, project/grant accounting; generatesfinancial documents such as computer-generated checks, purchase orders, accountand vendor histories, and assists with controls to maintain data integrity andbalanced entries.o Payroll – A payroll generation program that provides detailed employee recordsand custom generation of payroll.o Pay Authorization Module – Sets up permissions to particular job functions.o Bid Module – Maintains all bid information.o Employee Attendance – Tracks sick, vacation and personal days histories for eachemployee.o Employee Benefits –Benefits tracking.o Human Resource, Appointments – Maintains all employee data, includingeducational and PDP credits, observations and evaluations, fingerprint tracking,retirement data and emergency medical information.PasswordsThe BOCES should have procedures in place to periodically verify its system of controls areworking as intended, are still needed, and are cost effective, including a review of the controlsover access to information systems. Access to computerized files and transactions should berestricted to authorized individuals only. This can be accomplished with the use of passwordsand software that restricts users' access and can help ensure that only authorized individualsutilize the computer system.PermissionsA good internal control framework requires the BOCES management to develop a system ofcontrols that includes proper segregation of duties of the BOCES operations. A propersegregation of duties should exist not only in manual processes, but also within the AIS.WinCap allows the IT Administrator and the School Business Administrator to restrict access tofunctions specific to job descriptions.R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 2
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyOTHER APPLICATIONSeSchoolDataeSchool Data is the student data management application currently utilized by the BOCES,which allows the BOCES to track attendance, behavior, and grades by student. The system alsoprovides a course catalog, graduation planning, a grade book, and assists the BOCES inpreparing required reports submitted to the New York State Education Department. The entiresystem is web-based, which allows teachers, instructional administrators, instructional clericalstaff, and parents to access student information. Further restrictions are applied to theindividuals’ user privileges to ensure that only authorized users are seeing specific information(i.e. teachers only have access to enter attendance and grades; all other functions are restricted).IEP Direct and BOCES DirectIEP Direct is the special education student management application currently utilized by theBOCES. In addition, BOCES Direct is used in conjunction with IEP Direct and is used strictlyfor the billing portion. IEP and BOCES Direct are web-based applications that are used to trackstudent IEP’s, evaluations, meetings, billings for services and assists school districts with thepreparation of New York State required reports. Additionally, IEP Direct enables thepreparation of STAC forms by the appropriate school district. IEP Direct also facilitates theBOCES’ compliance with applicable privacy laws and regulations.XEN DirectXEN Direct is currently utilized by the BOCES for the continuing education, adult education andadult literacy programs. XEN Direct is a web-based application that is used to track studentattendance and grade reporting.R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 3
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyINFORMATION TECHNOLOGY AND DISASTER RECOVERY PLANSInformation Technology PlanThe purpose of the BOCES Technology Plan is to define and outline the steps necessary toprepare students for challenges and opportunities in their educational endeavors by providing thebest possible technology environment. The BOCES Technology Plan discusses the BOCESplans for architecture, hardware, software, staff training, implementation, and evaluation. Thecurrent Technology Plan covers a three-year period from 2010 through 2013.Disaster Recovery PlanDisaster recovery planning is a subset of a larger process known as business continuity planningand includes planning for resumption of applications, data, hardware, communications (such asnetworking), and other information technology infrastructure. While the BOCES would like toensure zero data loss and zero time loss in the event of a disaster, the costs associated with thatlevel of protection may be impractical.The BOCES Technology Plan is comprised of several sections that document the procedures andresources that are to be followed and used in the event that a disaster occurs at the BOCES. Thesections of the Technology Plan are as follows:ooooooooCurrent Status;Network Infrastructure;Software;Administrative Applications;Student Management Systems;Access;Training and Support; andGoals & Objectives, Implementation Strategies, and Evaluation Plans.R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 4
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyFINDINGS AND RECOMMENDATIONSBased on our interviews, observations, and detailed testing, we have provided our findings andrecommendations below to further strengthen the BOCES’ internal controls as they pertain toinformation technology processes and procedures outlined above.It should be noted that these recommendations are provided to the BOCES to assist managementin improving the BOCES’ internal controls and procedures relating to information technology. Itis important to note that our findings and recommendations are directed toward the improvementof the system of internal controls and should not be considered a criticism of, or reflection on,any employee of the BOCES.Policies and ProceduresProcedure Performed: We reviewed the BOCES policies to determine whether the BOCES hasadopted the legally required policies with regards to information technology.Result: BOCES has the minimum required policies; Confidentiality of IEP’s (Policy #6330),Internet Safety (Policy #7260), and Information Security Breach and Notification (Policy#4590).***Procedure Performed: We reviewed the BOCES policies and procedures to determine whetherthe BOCES has adopted the recommended policies and procedures per the Office of the StateComptroller with regards to information technology.Finding: We noted that the BOCES has a Technology Plan (the “Plan”) for 2010-2013 thatincludes areas such as a disaster recovery plan, data backup systems, physical controls, andremote access controls. In addition, BOCES utilizes Symantec’s Enterprise Level Endpointprotection for anti-virus protection. However, the Plan does not outline procedures for anti-virusprotections or password security as recommended by the Office of the State Comptroller.Recommendation: We recommend that the BOCES expand their Technology Plan to includeprocedures for anti-virus protection and password security.BOCES Corrective Action Plan: BOCES accepts the recommendation to expand ourTechnology Plan to include procedures for anti-virus and password security. While we currentlyutilize anti-virus protection and password security as integral components of our InformationTechnology security environment, we agree that it is practical to formally outline theseprocedures in our Technology Plan.Proposed Implementation Date: 11/13/2013Responsible Party: Director of Information Technology***R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 5
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyProcedure Performed: We reviewed the BOCES procedures with regards to the internal controlsrelated to information technology.Findings: We noted that the BOCES does not periodically review audit trail reports withinWinCap for user activity to identify any errors or activity that appears to be unusual.Additionally, we noted that the BOCES does not review the user security profile change reportwithin WinCap, which includes a login/logout report, to identify unusual user changes and/orusers who may be logging into the financial software at unusual times.Recommendation: We recommend that the BOCES implement procedures to review audit trails.We also recommend that the BOCES periodically review the user security profile change reportwithin WinCap to identify unusual user information changes and ensure users are not accessingthe financial software at unusual times. Additionally, we recommend that these reviews bedocumented and maintained on file within the business office.BOCES Corrective Action Plan: BOCES accepts the recommendation to periodically review theuser security profile change report within WinCap. This report will be reviewed quarterly toensure securities are appropriate. These reports will be kept on file in the Business Office.BOCES does not accept the recommendation to implement procedures to review WinCap audittrails. The incredible volume of activities and transactions executed on the WinCap systemwithin even the shortest of periods, makes a review of these activities impractical. We believe amitigating control would be a comprehensive initial review of user rights, combined withperiodic reviews of the user security change report as identified above.Proposed Implementation Date: 4/1/2014Responsible Party: School Business AdministratorProcedure Performed: We reviewed the BOCES policies, procedures, and practices with regardto information technology in cash management.Finding: We noted that the BOCES does not utilize a computer dedicated solely for processingwire transfers as recommended by the Office of the State Comptroller.Recommendation: We recommend that the BOCES have one computer utilized solely forprocessing wire transfers. This will help minimize the computer’s exposure to attacks that couldcompromise sensitive BOCES information.BOCES Corrective Action Plan: BOCES does not accept the recommendation to have onecomputer utilized solely for processing wires. We believe that the current authentication processrequired before any machine can be utilized, provides BOCES with a level of security that isenhanced from the single computer model. In addition, we believe bank website userid andpassword requirements, the use of RSA key tags, and second level approval requirements forwire activities, collectively creates a sound control environment. Finally, we believe thedemands and work schedules of those involved, as well as the potential for building closures,makes the single computer model an ineffective solution for us at the current time.R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 6
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyNetwork Operating Center and Server RoomProcedure Performed: We physically inspected the BOCES’ NOC (Network Operating Center)at the Yorktown Heights campus to verify that it is properly secured behind a locked door,temperature is suitably regulated and that the equipment is reasonably protected from fire andfloods.Findings: While observing the Yorktown Heights Campus NOC we noted that the temperature isregulated manually by the BOCES personnel and there is no warning system to notify theBOCES personnel if the temperature exceeds the recommended heat level.Recommendation: We recommend that the BOCES implement automatic temperature controls inaddition to a warning system to notify the Information Technology department if the temperatureexceeds a specified level.BOCES Corrective Action Plan: BOCES accepts the recommendation to implement automatictemperature controls in addition to a warning system to notify the Information Technologydepartment if the temperature exceeds a specified level. Our Information Technology,Operations and Maintenance, and Business Office departments will work together to find a costeffective and efficient solution for BOCES.Proposed Implementation Date: 10/31/13Responsible Party: Director of Information TechnologyProcedure Performed: We physically inspected the server room at the Fox Meadow Campus toverify that the room is properly secured, temperature is suitably regulated and that the equipmentis reasonably protected from fire and floods.Findings: While observing the Fox Meadow Campus, we noted the server room is nottemperature controlled by a programmable air conditioned cooling device and does not contain atemperature regulation device to establish warning thresholds if the temperature exceeds therecommended heat level. We also noted that this server room does not have a fire detectionsystem in place as required by the National Fire Protection Association Standard for theProtection of Information Technology Equipment (NFPA 75) nor does is it contain firesuppression devices (i.e. fire extinguishers). Lastly, we noted this server room is not connectedto a backup power supply generator which can lead to system failure in the event of acatastrophic event.Recommendations: We recommend that the BOCES install a fire detection system at the FoxMeadow Campus server room, at a minimum, to be compliant with the National Fire ProtectionAssociation Standard for the Protection of Information Technology Equipment (NFPA 75). Wealso recommend the Fox Meadow Campus server room be equipped with a fire suppressiondevice to limit damages in the event a fire occurs and with a programmable air conditionedcooling device to prevent over heating of the IT hardware housed within this room. Lastly, weR.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 7
Putnam/Northern Westchester BOCESInternal Audit Report on Information Technologyrecommend that the BOCES either install a temperature monitoring system or put procedures inplace to regularly inspect the temperature inside both the Yorktown Campus and Fox MeadowCampus server rooms in the event that temperatures rise above acceptable levels.BOCES Corrective Action Plan: BOCES will review the recommendation and develop acorrective action plan following additional analysis and consultation with our Audit Committee.This corrective action plan will be in place within 90 days of receipt of the final audit report, asper Commissioner’s Regulation §170.12.Proposed Implementation Date: 6/30/2014Responsible Party: Director of Information Technology***WinCap PermissionsProcedure Performed: We reviewed the BOCES procedures for documenting changes to useraccess within WinCap, including additions, deletions and modifications.Finding: We noted that the BOCES does not have a formal procedure to document changes touser access.Recommendation: We recommend that the BOCES implement a request form documenting anychanges to user access within WinCap, and that the change form be authorized and approved.BOCES Corrective Action PlanBOCES accepts the recommendation to implement a request form documenting changes to useraccess in part. With time and resources at a premium, we believe a written form would be aninefficient use of both. With the ability to change user security rights limited to the ChiefInformation Officer, Director of Business Affairs, and School Business Administrator, we believesufficient management authorization is obtained at the time of the update. As means to addressthe recommendation though, we will employ a process whereby the requestor will be asked tomake a formal request via an email to the intended security administrator. If approved, thesecurity administrator in question will act upon the request, reply to the requestor via email, andcopy the other two security administrators for their awareness.***Procedure Performed: We reviewed the user permissions within WinCap to identify multipleactive user accounts, generic user accounts, and possible permissions granted to employees thatmay not be consistent with their job responsibilities.Finding: We noted three individuals who have two active user accounts within WinCap.R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 8
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyRecommendation: We recommend that the BOCES ensure that each individual who has accessto WinCap be given only one active user account.BOCES Corrective Action Plan: BOCES does not accept the recommendation to limit eachindividual to only one active WinCap account. A small number of users have been given asecond userid for backup support functions only. While these user rights could be incorporatedin the user’s primary account, we have found that a second account makes it easier to track theuser’s activities within this support function. As such, we believe this actually improves ourcontrols posture.***Procedure Performed: We compared a list of employees who have separated from the BOCESservice during the 2012-2013 fiscal year to the active user permissions within WinCap.Finding: We noted that the BOCES has properly inactivated users who have separated from theBOCES.BOCES Corrective Action Plan Not Needed***Findings: We noted the following example of segregation of duties violations within WinCapwhere a BOCES’ employee has access to various accounting functions and no audit trail or othercompensating control was performed: The Junior Administrative Assistant has the ability to perform cash receipts, journalentries, payroll processing and enter accounts receivable;Recommendation: We recommend that the BOCES review its current permissions in WinCapand create a system of controls that ensures the proper segregation of duties and restrict accesswhere necessary, or perform a compensating control. In addition, if an employee functions as abackup to another employee, permissions should be temporarily granted and then taken away asneeded.BOCES Corrective Action Plan: BOCES accepts the recommendation to review its currentpermissions in WinCap and create a system of controls to ensure proper segregation of dutiesand restrict access where necessary, or perform a compensating control. We will do so througha methodical review of all user rights assigned. We also agree that if an employee is providingshort-term backup support outside of their normal job responsibilities, permissions should betemporarily granted and taken away as needed. If this support is more regular though, we willcontinue to explore the creation of a second userid, with rights restricted to those essential forthe backup support function.Proposed Implementation Date: 4/1/2014Responsible Party: School Business AdministratorR.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 9
Putnam/Northern Westchester BOCESInternal Audit Report on Information Technology***Vendor/Employee MatchProcedure Performed: We performed a comparison of the master vendor file to the masteremployee file to identify possible conflicts of interest.Finding: We found two employees that had the same address as a vendor (different name fromthe employee) as a result of applying this procedure.Recommendation: We recommend that the BOCES review the employee and vendor informationto determine if there is a conflict of interest.BOCES Corrective Action Plan: BOCES accepts the recommendation to review employee andvendor information to determine if there is a conflict of interest. Following an initialcomprehensive review, a vendor change report will be given to the Claims Auditor with eachcheck warrant. This will allow the Claims Auditor to review for potential conflicts of interest.Any potential conflicts of interest will be discussed with the Director of Business Affairs orSchool Business Administrator.Proposed Implementation Date: 10/15/13Responsible Party: School Business Administrator***Vendor Master FileProcedure Performed: We reviewed the master vendor file to verify that the master vendor file iscomplete, accurate, free of duplicate vendors, and up to date.Finding: We noted several vendors that have the same name but two different vendor numbers.Recommendation: We recommend the BOCES update the master vendor file establishing onevendor number for each vendor.BOCES Corrective Action Plan: BOCES accepts the recommendation to update the mastervendor file establishing one vendor number for each vendor. This recommendation has been putinto practice with the advent of the ability to create multiple vendor remit addresses for the samevendor number. We will work to remove old duplicates from the vendor table.Proposed Implementation Date: 1/1/2014Responsible Party: School Business AdministratorProcedure Performed: We reviewed the BOCES procedures for documenting changes to vendordata within WinCap, including additions, deletions and modifications.R.S. Abrams & Co, LLP – Accountants & Consultants for Over 75 YearsPage 10
Putnam/Northern Westchester BOCESInternal Audit Report on Information TechnologyFinding: We noted that the BOCES does not have a formal procedure to document changes tovendor data.Recommendation: We recommend that the BOCES implement a request form documenting anychanges to vendor information within WinCap, and that the change form be authorized andapproved.BOCES Corrective Action Plan: BOCES will review the recommendation and develop acorrective action plan following additional analysis and consultation with our Audit Committee.This corrective action plan will be in place within 90 days of receipt of the final audit report, asper Commissioner’s Regulation §170.12.***Disaster Recovery PlanProcedure Performed: We interviewed the Information Technology Director with regards to theBOCES Disaster Recovery Plan to determine if it identifies critical information technologyinfrastructure and equipment, establishes the most suitable recovery strategy for each majorapplication utilized by the BOCES, and identifies those individuals responsible for overseeingthe disaster recovery process.Finding: BOCES has not adopted a formal Disaster Recovery Plan, but has a Technology Planin place. The Technology Plan identifies critical information technology infrastructure andequipment, however it does not establish the most suitable recovery strategy for each majorapplication utilized by the BOCES or identify those individuals responsible for overseeing thedisaster recovery process.Recommendation: We recommend the BOCES adopt a formal Disaster Recovery Plan toestablish the most suitable recovery strategy for each major application utilized by the BOCES,and identify those individuals responsible for overseeing the disaster recovery process.BOCES Corrective Action Plan: BOCES accepts the recommendation to adopt a formalDisaster Recovery Plan to establish the most suitable recovery strategy for WinCap and identifythose individuals responsible for oversee
hardware and software that provide several layers of protection against intrusions. The first layer of firewall protection, WatchGuard, utilizes "Unified Threat Management" (UTM) appliance technology. In addition, the BOCES uses "Symantec Enterprise Endpoint Protection". This
