Purpose of Audit

The purpose of our audit was to review the Town’s internal controls over its computer network for the period January 1, 2012 through December 31, 2013.

Background

The Town of Champion is located in Jefferson County and has a population of approximately 4,500. The Town is governed by an elected five-member Town Board. The Town’s budgeted expenditures for the 2014 fiscal year were approximately $2.5 million.

Key Findings

• All users have administrator rights to their computers, giving them complete control over their local workstation. Users could perform actions that would significantly impact the safety and security of the computer and data.
• Town officials have not adopted comprehensive data backup policies and procedures for computer-processed data. The Clerk backs up data to the machine that she is currently working on and not to an offsite location or a removable hard drive.
• Town officials and employees were not aware of the Town’s breach notification policy. Therefore, they may not have been prepared to notify affected individuals in the event that private information had been compromised.
• The Board has not established a formal disaster recovery plan.

Key Recommendations

• Restrict administrator rights to computers; if administrator rights are needed for certain duties of a user’s job, create a separate account with administrative rights and use it only when needed.
• Ensure that all of the Town’s data is backed up to a secure off-site location, and develop procedures to periodically test and restore back-up data to ensure that it is complete, accurate and useable.
• Periodically review the breach notification policy.
• Develop a formal disaster recovery plan identifying potential risks and detailing the responses to be taken. This plan should be distributed to all responsible parties, periodically tested and updated as needed.