Purpose of Audit
The purpose of our audit was to assess the Town's financial management and controls over information technology (IT) for the period January 1, 2012, to April 30, 2013.
Background
The Town of Wawayanda, located in Orange County, has a population of approximately 7,300. The Town is governed by an elected five-member Town Board which comprises the Town Supervisor and four Board members. The Town's budgeted expenditures for the 2013 fiscal year were approximately $4.3 million.
Key Findings
- Over the past three years, Town officials have demonstrated fiscally responsible management and identified various ways to increase revenue and reduce expenditures. As a result, Town taxpayers have benefited from a declining tax levy for the past three years and an anticipated reduction in the 2014 tax levy. However, the Town's unexpended surplus fund balance has become excessive, and its budgets from fiscal years 2010 through 2012 were unrealistic. Revenues were under-estimated and expenditures over-estimated for all three fiscal years. The unrealistic budgets caused total fund balance to increase significantly from about $2.3 million in 2010 to almost $3.3 million at the end of 2012. Unexpended surplus funds in the general fund at the 2012 fiscal year end equaled 175 percent of the 2013 adopted budget.
- The Board has not developed a formal long-term plan addressing the excessive unexpended surplus fund balance.
- The Board has not adopted a breach notification policy, a disaster recovery plan, or a policy that addresses the protection of personal, private and sensitive information.
- The Board has allowed employees to have more access rights than necessary to perform their job duties.
Key Recommendations
- Adopt budgets with realistic estimates of anticipated revenues, expenditures and fund balance available for appropriation. Adopt a fund balance policy governing the level of unexpended surplus funds to be maintained in the Town's operating funds.
- Develop and adopt a comprehensive multi-year financial and capital plan.
- Adopt a breach notification policy and a comprehensive disaster recovery plan that details specific guidelines for the protection of private and essential data.
- Exercise the practice of least privilege and only grant local administrator rights to users who absolutely need them to perform their job duties.