Summary

The Lake County District School Board (District) utilizes the Total Educational Resource Management System (TERMS) to manage its financial resources.  The eight components of the TERMS Financial Information Series provide functionality that support activities ranging from initial budget preparation through year-end reporting.  The components are used by school and department personnel, as well as District-level staff and District board members.

Our audit focused on evaluating selected information technology (IT) controls applicable to the TERMS Financial Information Series during the period September 2005 through February 2006, and determining the status of corrective actions regarding selected prior audit findings disclosed in audit report No. 03-185.

The results of our audit are summarized as follows:

Finding No. 1:   District procedures for authorization of access to the network and TERMS were not followed in all instances.

Finding No. 2:   TERMS Financial Information Series emergency and temporary access requests were not approved by either the Chief Financial Officer or the Finance Director, the functional owners of the TERMS Financial Information Series data.  Instead, they were approved by the Information Services Manager.

Finding No. 3:   Access capabilities to TERMS had been granted to users who did not need the access for their job function.  Additionally, access to sensitive functions within the AS/400 mid-range computer environment was not appropriately limited.

Finding No. 4:   TERMS application security activity, such as modifications to user access privileges, was not systematically logged by the District, limiting the ability to monitor the appropriateness of security administration actions.

Finding No. 5:    We noted instances where the District did not remove access privileges for terminated employees in a timely manner.

Finding No. 6:        Improvements were needed in certain security controls protecting TERMS.

Finding No. 7:    The TERMS change management process needed strengthening.

Finding No. 8:    We noted instances where the District’s IT Standard Operating Procedures needed enhancement.

Finding No. 9:    The District had in excess of 4,000 IT surplus personal computers (PCs) in storage.  The hard drives of those PCs had not been prepared for disposal and were stored in facilities that were not environmentally controlled.

Finding No. 10:    Out-of-lease student PCs were not approved for disposition prior to being prepared and sold to students.

Finding No. 11:    Certain other District procedures related to the disposition of IT surplus equipment were not effective.

Finding No. 12:    Certain deficiencies related to the IT disaster recovery plan continued to exist.

Finding No. 13:    Procedures for the storage of AS/400 back-up tapes at designated off-site facilities were not followed.

Finding No. 14:    Physical security controls over the District’s IT facilities continued to need improvement.