Summary

The Polk County District School Board (District) maintains SAP enterprise resource planning (ERP) software that provides application processing for District administrative systems, such as general ledger, accounts payable, human resources, and payroll functions.  Our audit focused on evaluating management controls and selected information technology (IT) functions applicable to the SAP system during the period October 2003 through January 2004, with selected actions taken through February 2004, including selected general controls; determining management’s awareness of, and actions taken regarding, the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and determining whether the District has corrected, or is in the process of correcting, IT-related deficiencies disclosed by the predecessor auditor in a management letter dated April 17, 2003.

Certain deficiencies were noted in the District’s management controls over selected IT functions.  Specifically, these deficiencies included:

Finding No. 1:   Improvements were needed in the District’s systems modification methodology.

Finding No. 2:   Improvements were needed in the District’s IT risk management practices.

Finding No. 3:   System access privileges were not, in some instances, restrictive enough to enforce a proper segregation of incompatible duties.

Finding No. 4:   Deficiencies were noted in the District’s IT security controls in addition to the matters discussed in Finding No. 3.

Finding No. 5:   Deficiencies were noted in the District’s business continuity controls.

The Superintendent's response to the audit findings and recommendations is included in the audit report on the Auditor General Web site.