Purpose of Audit
The purpose of our audit was to review the Village’s internal controls over information technology (IT) for the period of June 1, 2011, to April 30, 2013.
Background
The Village of Westhampton Beach is located in the Town of Southampton, in Suffolk County, and has a population of approximately 1,500 residents. The Village is governed by a Board of Trustees which comprises four elected Trustees and an elected Mayor. Budgeted appropriations for the 2012-13 fiscal year were approximately $9.4 million.
Key Findings
- Village officials have not developed formal IT policies for user access, and the Board has not developed a formal disaster recovery plan.
- We found generic user accounts on the Village’s computer system and some users unnecessarily had administrative rights. The Village Clerk/Treasurer has administrative rights to the Village’s financial software. Therefore, she has the ability to add users, modify access rights and data files, and correct errors.
- Although audit logs are available through the financial software, they are not generated and reviewed by Village officials.
Key Recommendations
- Establish a policy to ensure that access to the IT system and financial software application is provided to a specified person based on the needs associated with their job functions. Establish a formal disaster recovery plan.
- Ensure that administrative rights to the financial software are not given to someone involved in financial operations.
- Routinely generate and review the financial software audit logs to monitor user activity, including the potential threat of unauthorized access by third parties.