Lessons from the Roslyn School District Scandal
Ronald J. Bovich
2005 - Nearly two years ago, the school district accounting
and auditing world was shaken by the $11.2 million embezzlement
and corruption scandal uncovered at the Roslyn School District
in Long Island, New York. Over the course of several years,
more than 20 school district officials and employees abused
the financial responsibilities entrusted to them. The ensuing
actions by the New York State Comptroller’s office,
combined with new public awareness of fraud and corruption
in everyday business, have led to tighter accounting and auditing
standards for everyone.
the Public Good
“new” duties of the accountants hired by school
districts include serving as the eyes and ears of the public
good to investigate all possible existence of fraud and
embezzlement within the district they serve, to ensure that
the district has adequate internal controls, and to ascertain
whether employees make appropriate use of the financial
software installed within the district.
and foremost, an accountant must understand the level of
safeguards and security features that should be instilled
in every school district. Central to this is the development
of a security policy by the district that outlines the reason
for the policy, the laws and regulations on which the policy
is based, how the policy will be enforced, who will be affected
by it, what must be secured, and how security breaches will
be reported and handled. This policy should be written such
that all employees affected by the policy can understand
its use and the ramifications of its misuse. This policy
should be constantly reassessed for changes to district
use as well as internal and external threats of compromise.
affected by the policy should be advised in writing of the
acceptable use of their computers, the penalties for violating
the policy, and the fact that their activities will be monitored.
Each employee should be required to sign a security agreement
that acknowledges the individual’s awareness of the
policy and acceptance of its principles. In addition, all
employees should be trained by the security administrator
in the proper use of computers within the district and in
the importance of security. These security measures should
allow for the confidentiality of sensitive information while
permitting authorized individuals to access the information
necessary for the completion of their jobs.
an adjunct to this policy, other measures to provide better
control over computer security should be instituted by the
district. These include the following:
Access should be limited to a need-to-know basis, with
strict enforcement of rights and privileges.
All dormant accounts should be locked out after a predetermined
period of inactivity. All users on extended leave should
have their accounts temporarily marked inactive.
Allowable log-in attempts should be limited.
Passwords should be at least six characters in length
and should not use words, names, dates, or other common
formats. Administrators should prohibit passwords that
identify account owners (e.g., birthdates, initials, names
of pets) and should require a mix of characters (i.e.,
numbers and letters).
System administrators should change all preset passwords
built into the software and require that all passwords
be changed at predetermined intervals.
No passwords should be shared, and all password records
should be secured.
Users should be instructed to never use their password
while being watched and to change their password if it
has been compromised.
Business-office computer systems should be inaccessible
to students and teachers.
Remote access should be limited to trusted vendors only,
with strong password protection in place.
All computers should be protected from external and internal
threats by up-to-date virus scanners, firewalls, surge
protectors, and back-up battery power.
Incoming files should be scanned for viruses before allowing
download. This includes files that have been worked on
at home on personal computers and brought back to the
All critical servers, workstations, and applications should
be backed up on a regular basis. Backups should be performed
at night, and all data should be verified. Tapes should
be changed daily and rotated; no tape should be used two
weeks in a row.
Backup procedures should be handled only by assigned trusted
Backup tapes should be held off-site, perhaps by a third-party
vendor, in case of a disaster.
district needs a carefully formulated contingency plan in
the event of natural disaster or equipment failure. These
plans can include emergency agreements with neighboring
districts to handle such things as payroll and accounts
payable, and agreements with local-area boards of cooperative
educational services (BOCES), which are state-chartered
regional partnerships of local school districts that reduce
the cost of commonly used services, such as vocational training
or special education.
measures beyond the range of hardware security include the
Upgrading software when recommended so as to use the latest
in application improvements as well as improved security.
Segregation of duties should exist in all departments,
and clear lines of authority should be established. Not
only will this reduce error and avoid waste, it will also
ease the risk of wrongful acts by one individual. Key
tasks and responsibilities should be divided, duties should
be rotated, and all staff should be cross-trained. In
the event of absenteeism in an office, other employees
should be able to replace the missing employee without
any lapse in procedures.
Check-signature plates and stocks of checks should be
secured, with extremely limited access. All checks should
incorporate security features such as colored backgrounds
and simulated watermarks. Separate accounts should be
established for different funds.
Great attention should be given to electronic transfers,
with approval only by authorized officials and under strict
districts can further restrict management from overriding
controls in a software product, so that any data change
leaves trails. Records should be maintained on user activity,
and all audit trails in software should be reviewed. If,
for example, vendor names have been changed either in the
file or on a check, reports should indicate not only the
change that was made, but also who initiated that change,
the actual name that showed on the check, the date it was
changed, the account number of the vendor, the computer
terminal where the change was made, and the initial value
of the change. Reports should be generated that reflect
the identities of individuals with permissions for various
aspects of the software program. Manual check reviews should
be available to allow inspection of checks versus the check
register. Printed vendor listings or cash disbursement warrants
can be used to cross-reference a vendor name that cannot
be changed in the system to one that has been printed on
Is Not Enough
and hardware by themselves cannot be relied upon to discover
fraud or embezzlement. A school district’s management
must set the tone. Vigilance is the key to security. All
computer systems are vulnerable to attack from within and
without, and vigilance is the only surefire deterrent.
school education constitutes one of New York State’s
largest industries, with an annual budget of some $39.4
billion. A total of 732 public school districts handle some
2,826,000 students in grades K through 12, and employ 466,100
workers. This does not take into account another 476,800
students and 63,000 other staff members in private schools
throughout the state. Overall, the system works, but not
without a lot of effort and money. The failure to live up
to this investment puts a district at risk for tremendous
loss of money and diminished respect. It is up to everyone—hardware
and software vendors, accountants, school district officials,
and the general public—to keep the system running
as it should.
J. Bovich is president of Finance Manager, a software
manufacturer and service provider to New York State school
districts and public entities, based in East Setauket, N.Y.