By Hank Russell
A report recently released by the New York State Comptroller’s Office found that, from July 1, 2021 to January 26, 2023, the Wantagh School District, its Board of Elections and officials did not properly “[establish] adequate controls over user accounts for the financial application to help prevent inappropriate access and use.”
What the auditors found was that officials from the BOE and the district failed to develop and adopt policies and procedures related to the user accounts and permissions and the review of audit trail reports; limit user account permissions to those who need access to the financial controls in order to perform their job duties; and perform an independent review of transactions in the audit trail reports.
According to the report, Wantagh had four dormant user accounts; one of the accounts was used by multiple employees. That account was shared when the purchasing clerk was out on leave. Further, the staff used the same username and password, rather than each employee having their own login information. The last time the account was used was December 2021. The district’s assistant superintendent of business (ASB) could not identify who used the account during the purchasing clerk’s absence.
In another instance, the senior accountant, on 13 separate occasions, increased purchase orders cumulatively by $197,123 without the purchasing agent’s approval. Meanwhile, audit trail reports identified five payments totaling $698,534 where the purchasing agent overrode the financial application to process payments. As a result, budget codes and purchase orders were overextended by $58,559 and $46,359, respectively. The purchasing agent said this was done to save time so the payment could be processed without making a budget transfer or increasing the purchase order.
The auditors also found that a test account created for the ASB to review different financial application settings, including confirming permission settings before granting permissions, was used “periodically” during the audit period, but it was not deactivated despite not being used for six months. User accounts assigned to the district’s internal and external auditors — who were not employees of the district — were used only a combined three times during the audit period and never deactivated.
In its report, the comptroller’s office recommended the following:
- Establish adequate policies and procedures related to their financial application.
- Perform an independent review of transactions of the financial application system administrator account on the audit trail reports.
- Assign user account permissions based upon assigned job duties.
In a letter to the comptroller’s office, Board of Education President Tara Cassidy and School Superintendent John McNamara said they agree with the recommendations and have disabled all shared accounts, with a few exceptions. “These accounts will remain disabled other than the few times per year they are needed,” they wrote. “Even when enabled, they only include permission to view certain reports so there is no risk of unauthorized changes to data.”
They also noted that the district’s financial software is hosted offsite and it can only be accessed by downloading an application. Everyone who logs in has their login attempts “recorded and attached to a specific computer ID and IP address.”
Cassidy and McNamara told the comptroller’s office that they failed to point out that the district “[worked] to correct these items … well underway” one year before the audit began. In response, the auditors wrote in their report, “District officials did not provide us with updated reports showing that the user access of these individuals was modified. Therefore, we did not find any evidence that District officials were working to correct the items listed in our report prior to the beginning of our fieldwork.”