Technology Lessons from the Roslyn School District Scandal

By Ronald J. Bovich

E-mail Story
Print Story
OCTOBER 2005 - Nearly two years ago, the school district accounting and auditing world was shaken by the $11.2 million embezzlement and corruption scandal uncovered at the Roslyn School District in Long Island, New York. Over the course of several years, more than 20 school district officials and employees abused the financial responsibilities entrusted to them. The ensuing actions by the New York State Comptroller’s office, combined with new public awareness of fraud and corruption in everyday business, have led to tighter accounting and auditing standards for everyone.

Serving the Public Good

The “new” duties of the accountants hired by school districts include serving as the eyes and ears of the public good to investigate all possible existence of fraud and embezzlement within the district they serve, to ensure that the district has adequate internal controls, and to ascertain whether employees make appropriate use of the financial software installed within the district.

First and foremost, an accountant must understand the level of safeguards and security features that should be instilled in every school district. Central to this is the development of a security policy by the district that outlines the reason for the policy, the laws and regulations on which the policy is based, how the policy will be enforced, who will be affected by it, what must be secured, and how security breaches will be reported and handled. This policy should be written such that all employees affected by the policy can understand its use and the ramifications of its misuse. This policy should be constantly reassessed for changes to district use as well as internal and external threats of compromise.

Those affected by the policy should be advised in writing of the acceptable use of their computers, the penalties for violating the policy, and the fact that their activities will be monitored. Each employee should be required to sign a security agreement that acknowledges the individual’s awareness of the policy and acceptance of its principles. In addition, all employees should be trained by the security administrator in the proper use of computers within the district and in the importance of security. These security measures should allow for the confidentiality of sensitive information while permitting authorized individuals to access the information necessary for the completion of their jobs.

As an adjunct to this policy, other measures to provide better control over computer security should be instituted by the district. These include the following:

Access

  • Access should be limited to a need-to-know basis, with strict enforcement of rights and privileges.
  • All dormant accounts should be locked out after a predetermined period of inactivity. All users on extended leave should have their accounts temporarily marked inactive.
  • Allowable log-in attempts should be limited.
  • Passwords should be at least six characters in length and should not use words, names, dates, or other common formats. Administrators should prohibit passwords that identify account owners (e.g., birthdates, initials, names of pets) and should require a mix of characters (i.e., numbers and letters).
  • System administrators should change all preset passwords built into the software and require that all passwords be changed at predetermined intervals.
  • No passwords should be shared, and all password records should be secured.
  • Users should be instructed to never use their password while being watched and to change their password if it has been compromised.
  • Business-office computer systems should be inaccessible to students and teachers.

Network Security

  • Remote access should be limited to trusted vendors only, with strong password protection in place.
  • All computers should be protected from external and internal threats by up-to-date virus scanners, firewalls, surge protectors, and back-up battery power.
  • Incoming files should be scanned for viruses before allowing download. This includes files that have been worked on at home on personal computers and brought back to the office.

Backups

  • All critical servers, workstations, and applications should be backed up on a regular basis. Backups should be performed at night, and all data should be verified. Tapes should be changed daily and rotated; no tape should be used two weeks in a row.
  • Backup procedures should be handled only by assigned trusted personnel.
  • Backup tapes should be held off-site, perhaps by a third-party vendor, in case of a disaster.

Contingency Planning

Every district needs a carefully formulated contingency plan in the event of natural disaster or equipment failure. These plans can include emergency agreements with neighboring districts to handle such things as payroll and accounts payable, and agreements with local-area boards of cooperative educational services (BOCES), which are state-chartered regional partnerships of local school districts that reduce the cost of commonly used services, such as vocational training or special education.

Other measures beyond the range of hardware security include the following:

  • Upgrading software when recommended so as to use the latest in application improvements as well as improved security.
  • Segregation of duties should exist in all departments, and clear lines of authority should be established. Not only will this reduce error and avoid waste, it will also ease the risk of wrongful acts by one individual. Key tasks and responsibilities should be divided, duties should be rotated, and all staff should be cross-trained. In the event of absenteeism in an office, other employees should be able to replace the missing employee without any lapse in procedures.
  • Check-signature plates and stocks of checks should be secured, with extremely limited access. All checks should incorporate security features such as colored backgrounds and simulated watermarks. Separate accounts should be established for different funds.
  • Great attention should be given to electronic transfers, with approval only by authorized officials and under strict accounting controls.

School districts can further restrict management from overriding controls in a software product, so that any data change leaves trails. Records should be maintained on user activity, and all audit trails in software should be reviewed. If, for example, vendor names have been changed either in the file or on a check, reports should indicate not only the change that was made, but also who initiated that change, the actual name that showed on the check, the date it was changed, the account number of the vendor, the computer terminal where the change was made, and the initial value of the change. Reports should be generated that reflect the identities of individuals with permissions for various aspects of the software program. Manual check reviews should be available to allow inspection of checks versus the check register. Printed vendor listings or cash disbursement warrants can be used to cross-reference a vendor name that cannot be changed in the system to one that has been printed on checks.

Technology Is Not Enough

Software and hardware by themselves cannot be relied upon to discover fraud or embezzlement. A school district’s management must set the tone. Vigilance is the key to security. All computer systems are vulnerable to attack from within and without, and vigilance is the only surefire deterrent.

Public school education constitutes one of New York State’s largest industries, with an annual budget of some $39.4 billion. A total of 732 public school districts handle some 2,826,000 students in grades K through 12, and employ 466,100 workers. This does not take into account another 476,800 students and 63,000 other staff members in private schools throughout the state. Overall, the system works, but not without a lot of effort and money. The failure to live up to this investment puts a district at risk for tremendous loss of money and diminished respect. It is up to everyone—hardware and software vendors, accountants, school district officials, and the general public—to keep the system running as it should.


Ronald J. Bovich is president of Finance Manager, a software manufacturer and service provider to New York State school districts and public entities, based in East Setauket, N.Y.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices