We also released six letter reports to the following School Districts: Arlington Central School District [pdf], Elmira City School District [pdf], Fairport Central School District [pdf], Freeport Union Free School District [pdf], Saratoga Springs City School District [pdf], and Williamsville Central School District [pdf].
Purpose of Audit
The purpose of our audit was to determine whether school districts are adequately controlling access to their Student Grading Systems (Systems) for the period July 1, 2013 through May 1, 2015.
Background
School districts maintain and use students’ grades for a variety of educational purposes. School districts use Systems to record information about students’ grades, and provide System access to teachers, administrators, various staff members and external information technology (IT) support staff. Access to Systems should be limited to only those school district officials with a business need (i.e., operations, instruction, management and evaluation) and users should have the least amount of access necessary to perform their job duties or responsibilities.
Key Findings
- Districts do not adequately control access to their Systems. None of the districts audited have policy guidance that details the process or written documentation requirements for grade changes.
- Grade changes tested that were made by non-teachers, after the marking periods closed, lacked supporting documentation 44 percent of the time. Grade changes were being made to prior school years as far back as the 2007-08 school year. We found that 80 percent of the changes we tested could not be supported with written authorization.
- The lock out function (i.e., an internal control that helps prevent grade modifications without authorization after the close of a marking period) was not consistently being utilized across the districts.
- None of the districts have adopted written policies and procedures for their Systems for adding users, establishing users' access rights, deactivating or modifying user accounts, granting user permissions and monitoring user access.
- All districts had weaknesses in accessing, monitoring and reviewing audit logs.
Key Recommendations
- Adopt policy guidance relating to the procedures and requirements for making grade changes in the current year and for prior years.
- Periodically review the grade changes made by the heightened permission users and determine the appropriateness of the grade changes. Restrict the ability to make grade changes after the close of a marking period to designated individuals and ensure that documentation is retained to show who authorized the grade change and the reason for the change.
- Adopt policy guidance regarding the utilization of the lock out function and what procedures must be followed to bypass this control. Periodically review the bypassing of the lock out function and determine the appropriateness of the changes.
- Review current procedures for assigning user access rights and strengthen controls to ensure that individuals are assigned only those access rights needed to perform their job duties. Monitor user access rights periodically.
- Periodically review available audit logs for unusual or inappropriate activity. Implement compensating controls due to a lack of an audit log function by certain grading systems.