Audit of B-P online banking reveals oversight lacking
BROADALBIN — An audit of Broadalbin-Perth Central School District’s online banking process found that officials failed to adequately safeguard its online banking transactions by not adequately monitoring the authorized users of the program. But, the audit notes, as of Jan. 31, 2020, there has not been any unauthorized online access to the district’s bank accounts, nor were there any “questionable” wire transfers or automated clearing house payments, or any loss of funds.
The audit stated, “However, if the bank accounts were attacked and funds misappropriated… the district could have lost up to $11.2 million.”
The key findings of the audit includes that officials had not adopted a comprehensive online banking policy; they failed to monitor online banking user compliance with the district’s acceptable computer use policy, and as a result, five of the six employees authorized to have access to the online banking, were surfing the internet at nonbusiness websites prohibited by the policy. The district also failed to provide IT security awareness training to all online banking users.
The audit stated, “The [d]istrict entered into a written online banking agreement with their financial institution to allow officials and key employees to complete electronic banking transfers. However, we found that the [b]oard did not adopt an online banking policy that defines the type of online banking activities allowed or the procedures for authorizing, processing and monitoring online banking transactions.”
“Five online banking users accessed websites for personal [reasons]… shopping, banking and bill paying, and… activities such as watching videos, browsing entertainment news, and visiting sports, social networking and email websites,” the report stated.
The district does have an online user policy for district employees who have access to district computers, but the audit criticized the district for being unable to provide the state comptroller “with evidence that all network users had read, were aware of and acknowledge they would be held accountable for compliance” with the user policy.
The report revealed that the treasurer had signed a user agreement and “her internet use was in compliance” with the user policy.
“The assistant superintendent and the accounts payable clerk both signed [acceptable user policies]… and should have been aware their internet use did not comply with the AUP,” the report states. “[W]hile the administrative assistant, payroll clerk and district clerk did not have a signed AUP acknowledgement form on file.”
The audit found that the district had properly separated the responsibilities for processing online banking transactions by “limiting employee access to specific functions and bank accounts and requiring the treasurer to obtain secondary approval in the online banking application.”
But, according to the audit, the option to “perform [electronic funds transfers] to foreign countries had not been disabled.”
The treasurer told the state auditor that the district had not disabled the option to transfer funds to a foreign country because it had once purchased a 3-D printer from a foreign country.
The state suggested the district disable EFTs to foreign countries when it is not needed and that action “would provide additional controls in securing the district’s funds.”
In the response from Assistant Superintendent for Business and Operations Marco Zumbolo, he said the district had already begun to make changes.
In the Feb. 2 response, Zumbolo said, “Prior to release of the auditor’s report, District officials had already made strides to address these areas in need of improvement. Initial development of an online banking policy is underway, the District’s acceptable use policy is under internal review, and professional development opportunities and trainings specific to IT security have already been implemented.
The online policy, IT security awareness training and to have all employees with computer access sign an acknowledgement form indicating that are aware of and will comply with district’s policy.
All the actions are to be completed by June 30.