Audit Objective 

Determine whether Copiague Union Free School District (District) officials properly managed nonstudent network user accounts and financial software access controls.

Key Findings

District officials did not properly manage nonstudent network user accounts and financial software access controls. As a result, data and personal, private and sensitive information (PPSI) accessible by those accounts were at a greater risk for unauthorized access, misuse or loss. In addition to sensitive information technology (IT) control weaknesses that were confidentially communicated to District officials, we found that officials did not: 

• Disable 316 nonstudent network user accounts (24 percent) that were not needed, including two user accounts assigned to employees that left the District more than 17 years ago. 
• Ensure that employees had the appropriate access to the financial software necessary to perform their job functions. 
• Provide IT security awareness and data privacy training annually to all officials and employees with access to financial and other sensitive data. 

Key Recommendations 

• Disable network and financial software user accounts as soon as they are no longer needed and periodically review accounts and access for necessity.
• Provide periodic data privacy and IT security and awareness training to officials and employees with access to PPSI.

District officials generally agreed with our recommendations and indicated they have initiated or plan to initiate corrective action.