Managing the distribution of physical keys and electronic key fobs to various employees in a school district is a basic long-standing internal control practice. We distribute one or more keys or key fobs to new employees and require terminated employees to return their keys. Of course, we are very careful in the distribution of master keys and limit their distribution to select administrators or managers. It is common sense that school officials need to follow well-designed procedures in administering access to the district’s facilities and physical assets.
On occasion, we observe school districts that through omission or oversight are providing administrative rights to software systems to all of the employees in one or more offices or departments. In some instances, the administrative rights provide “super-user” access to software systems, meaning files, data, records and more can be added, deleted or altered by the employee(s) that work with finance, personnel, time-keeping, payroll, human resources, student and/or other software systems. In addition to these risks, the lack of adequate access controls in one district’s finance system resulted in an over quadruple increase in fees paid to the external audit firm that was engaged for the audit of the district’s financial statements and compliance.
Just as we are careful in distributing the master key(s) to the district’s facilities and offices, access controls are even more important in computer systems. It’s important when installing software systems to properly implement and maintain role- or group-based systems access or permissions for various classes of employees, according to assigned roles and responsibilities in their job descriptions. System administrator rights and access should be limited to independent staff, such as a Technology department employee that is not responsible for creating, maintaining and/or archiving data. Checklists used for processing terminated employees need to also include a checkbox for removal of computer system access. The district should also follow best practices for strong passwords, and periodic changes to and protection of passwords, which should be covered in the employee handbook. The employee handbook and board-adopted policies should also address employee disciplinary sanctions for violation of password and computer system access controls.
A lack of attention to computer system access controls can be like leaving the door wide open 24/7 to the district’s safe in the central administrative offices. If this happens, the school district will eventually be a front page article in the local newspaper.