[read complete report - pdf]

Audit Objective

Determine whether Board and School officials effectively managed information technology (IT) assets.

Key Findings

• The Board did not develop adequate IT policies and procedures.
• School officials did not provide IT security awareness training to employees.
• The Board did not develop a disaster recovery plan.

Sensitive IT control weaknesses were communicated confidentially to officials.

Key Recommendations

• Adopt written IT policies and procedures.
• Provide periodic IT security awareness training to personnel who use IT resources, including the importance of physical security and protection of personal, private, sensitive information (PPSI).
• Develop a disaster recovery plan.
• Address the IT recommendations communicated confidentially.

School officials disagreed with certain aspects of our findings and recommendations, but indicated they planned to initiate corrective action. Appendix B includes our comments on issues raised in the School’s response letter.