Summary
Summary
| Report Number: | 2004-202 |
| Report Title: | Volusia County District School Board |
| Report Period: | 10/2003-01/2004 |
| Release Date: | 06/29/2004 |
The information technology (IT) environment
at Volusia County District School Board (District) consists of multiple
hardware, software, and application platforms. The District utilizes
SmartStream, an Enterprise Resource Planning (ERP) system, to provide
application processing for its financial applications. Our audit focused
on evaluating selected IT functions and determining the effectiveness of general
controls applicable to the District for the period October 2003 through January
2004; determining management’s awareness of, and actions taken regarding, the
Health Insurance Portability and Accountability Act of 1996 (HIPAA); and
determining whether the District had corrected, or was in the process of
correcting, IT-related deficiencies disclosed by the predecessor auditor in a
management letter dated October 17, 2002.
As described below, we noted deficiencies in certain general controls related to the District’s functions and practices:
Finding No. 1: A Districtwide security program had not been formally devised to ensure that exposures and vulnerabilities of IT resources had been sufficiently assessed by management and addressed through enforced user and system security controls. Additionally, the District had not designated a chief security officer or similar function to provide for a unified security program over the District’s information resources.
Finding No. 2: The District had not established written policies and procedures governing various IT functions, including an information systems development methodology. Additionally, the District had not sufficiently documented the overall data flow, interfaces, or customized processes for its systems.
Finding No. 3: The District’s software change management practices needed improvement.
Finding No. 4: The District had inadequate segregation of duties within IT that permitted staff within the SmartStream environment to design, develop, program, test, and move stored procedures into production.
Finding No. 5: Deficiencies were noted in the District’s business continuity controls.
The Superintendent's response to the audit findings and recommendations is included in the audit report on the Auditor General Web site.