Orange County Community College – Information Technology and Financial Activities (2017M-111)

Issued Date
September 29, 2017

Purpose of Audit

The purpose of our audit was to examine the College’s controls over information technology (IT) and financial activities for the period September 1, 2015 through December 1, 2016.

Background

Orange County Community College is located in Orange County. The College, which has two campuses and about 5,500 students, is governed by a 10-member Board of Trustees. Expenditures for the 2015-16 fiscal year were approximately $85 million.

Key Findings

  • The Board did not adopt adequate IT policies that address appropriate computer use and security or provide training on policies, cybersecurity or the financial software application.
  • The servers and server rooms were not adequately protected, backups were not adequately maintained and a disaster recovery plan has not been established.
  • The purchasing policy is inadequate because it does not address all New York State General Municipal Law (GML) requirements.
  • Officials did not have any written procedures documenting the claims process.
  • Policies and procedures over student accounts were insufficient.

Key Recommendations

  • Review and update the existing Internet, email and personal computer use policy, establish and adopt IT security policies, and provide adequate training relating to cybersecurity, IT policies and the financial software application.
  • Improve server rooms’ physical security by installing fire suppression systems, automatic temperature controls, a designated generator and entry keypads or logs; establish written procedures describing the frequency, location and scope of backups and the specific methods used to backup data; and adopt a formal written disaster recovery plan.
  • Amend the purchasing policy and written procedures to comply with GML and ensure that competitive bids or competitive offers are awarded in accordance with GML.
  • Establish written procedures for the claims process that communicates the claims auditor’s responsibility and job description.
  • Establish and adopt a policy that outlines the process for maintaining student accounts.