Village of Castleton-on-Hudson – Internal Controls Over Information Technology and Online Banking (2013M-59)

Issued Date
May 24, 2013

Purpose of Audit

The purpose of our audit was to review the Village’s internal controls over information technology and online banking for the period of June 1, 2011, to September 30, 2012.

Background

The Village of Castleton-on-Hudson is located in the Town of Schodack, Rensselaer County, and has a population of approximately 1,470 residents. The Village is governed by a Board of Trustees which comprises four elected Trustees and an elected Mayor. The Village’s budgeted appropriations for the 2012-13 fiscal year were approximately $2 million.

Key Findings

  • Village officials have not developed any formal IT policies and the Board has not developed a formal disaster recovery plan, instituted breach notification procedures, or adopted procedures for data backup.
  • Although audit logs are available through the software, they are not generated and reviewed by Village officials.
  • The Board also has not instituted appropriate internal controls for online banking. The Village uses online banking services with one bank and currently only makes intra-bank transfers between its accounts at this bank. However, the Board was unfamiliar with and unaware of the importance of these types of controls.

Key Recommendations

  • Adopt formal IT policies, including a breach notification policy, and implement procedures to effectively safeguard the Village’s IT resources. Establish a formal disaster recovery plan and Board-written policies and procedures to provide guidance on how the Village’s electronic data is backed up.
  • Routinely generate and review the financial system audit logs to monitor user activity, including the potential threat of unauthorized access by third parties.
  • Establish a comprehensive written policy for online banking.