Performance Audit, Safford Unified School District |
Previous | 1 of 3 | Next |
|
|
Small
Medium
Large
Extra Large
Full-size
Full-size archival image
|
This page
All
|
Performance Audit Division of School Audits A REPORT TO THE ARIZONA LEGISLATURE September • 2015 Report No. 15-211 Debra K. Davenport Auditor General Safford Unified School District The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the opera-tions of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits of school districts, state agencies, and the programs they administer. The Joint Legislative Audit Committee Audit Staff Ross Ehrick, Director Ann Orrico, Manager and Contact Person Jennie Snedecor, Team Leader Jessica Cupero Nate Robb Joshua Roloson Alexa Tavasci The Auditor General’s reports are available at: www.azauditor.gov Printed copies of our reports may be requested by contacting us at: Office of the Auditor General 2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333 Representative John Allen, Vice Chair Representative Regina Cobb Representative Debbie McCune Davis Representative Rebecca Rios Representative Kelly Townsend Representative David Gowan (ex officio) Senator Judy Burges, Chair Senator Nancy Barto Senator Lupe Contreras Senator David Farnsworth Senator Lynne Pancrazi Senator Andy Biggs (ex officio) 2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051 September 16, 2015 Members of the Arizona Legislature The Honorable Doug Ducey, Governor Governing Board Safford Unified School District Mr. Ken VanWinkle, Superintendent Safford Unified School District Transmitted herewith is a report of the Auditor General, A Performance Audit of the Safford Unified School District, conducted pursuant to A.R.S. §41-1279.03. I am also transmitting within this report a copy of the Report Highlights for this audit to provide a quick summary for your convenience. As outlined in its response, the District agrees with all of the findings and recommendations. My staff and I will be pleased to discuss or clarify items in the report. Sincerely, Debbie Davenport Auditor General Similar student achievement and efficient operations overall September • Report No. 15-211 2015 In fiscal year 2013, Safford USD’s student achievement was similar to peer districts’, and the District operated efficiently overall with costs that were lower than or similar to peer district averages. Safford USD’s administrative cost per pupil was similar to the peer districts’ average, but the District needs to strengthen controls over its computer systems and network. The District’s plant operations costs were much lower than peer districts’, primarily because the District employed fewer plant staff, used energy-and water-saving practices, and made efficient use of building space. In addition, the District’s food service program was self-sufficient, operating with a cost per meal that was similar to the peer district average, and its transportation program was reasonably efficient, with routes filling buses to 76 percent of capacity and drivers performing other duties, such as maintenance, when not driving. REPORT HIGHLIGHTS PERFORMANCE AUDIT Our Conclusion Safford Unified School District Student achievement similar to peer districts’—In fiscal year 2013, Safford USD’s student AIMS scores in math, reading, and writing were slightly higher than the peer districts’ averages, and its science scores were similar. Under the Arizona Department of Education’s A-F Letter Grade Accountability System, the District received an overall letter grade of B. Twelve of the 22 peer districts also received Bs, 2 peer districts received As, 5 peer districts received Cs, and 3 peer districts received Ds. Additionally, the District’s 67 percent graduation rate was lower than the peer districts’ 81 percent average and the State’s 75 percent average. Efficient operations overall—In fiscal year 2013, Safford USD operated efficiently overall, with costs that were lower than, or similar to, peer district averages. Operating efficiently allowed the District to spend 11 percent, or $398, more per pupil in the classroom than peer districts, on average, despite spending less per pupil overall. The District’s administrative cost per pupil was similar to the peer districts’ average, and its plant operations costs were much lower primarily because the District employed fewer plant operations staff, used energy- and water-saving practices, and made efficient use of building space. In addition, the District’s food service program was self-sufficient, operating with a cost per meal that was similar to the peer district average, and its transportation program was reasonably efficient, with routes filling buses to 76 percent of capacity and drivers performing other duties, such as maintenance, when not driving. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Math Reading Writing Science Safford USD Peer group State-wide Percentage of students who met or exceeded state standards (AIMS) Fiscal year 2013 Safford USD Table 1: Safford USD Peer group average Administration $779 $764 Plant operations 589 921 Food service 328 364 Transportation 226 394 Comparison of per pupil expenditures by operational area Fiscal year 2013 In fiscal year 2013, Safford USD lacked adequate controls over its computer systems and network. Although no improper transactions were detected in the items auditors reviewed, these poor controls exposed the District to an increased risk of errors, fraud, unauthorized access to sensitive information, and loss of data. More specifically: • Broad access to accounting system—Twenty-five of the District’s 36 accounting system users had more access to the system than they needed to perform their job duties, including 24 employees who had the ability to perform all accounting system District needs to strengthen its computer controls REPORT HIGHLIGHTS PERFORMANCE AUDIT September 2015 • Report No. 15-211 A copy of the full report is available at: www.azauditor.gov Contact person: Ann Orrico (602) 553-0333 Safford Unified School District functions. Granting employees system access beyond what is required for their job duties, especially full system access, exposes the District to a greater risk of errors, misuse of sensitive information, and fraud, such as processing false invoices or adding and paying nonexistent vendors or employees. • Generic accounts—We found that 18 network accounts, 4 accounting system accounts, and 1 student information system account were unnecessary, active generic accounts not assigned to specific users, making it difficult or impossible to hold anyone accountable if inappropriate activity occurred while using these accounts. • Inappropriate server room access—The District’s servers were stored in a room next to its IT department offices, which was secured by lock and key. However, the server room was accessible to custodial and other non-IT staff who were assigned master keys to the District’s facilities, which increased the risk of network interruption due to intentional or accidental equipment damage. • Lack of a disaster recovery plan—The District lacked a written, up-to-date, and tested disaster recovery plan for its network and critical financial and student information systems. Having a written and properly designed disaster recovery plan would help ensure continuous accessibility to sensitive and critical data in the event of a system or equipment failure or interruption. The District should: • Modify employee access to its accounting system to ensure that an employee cannot initiate and complete a transaction without independent review and approval. • Eliminate unnecessary generic user accounts in its network and systems and properly control any remaining generic accounts. • Limit physical access to its computer server room. • Create and test a formal disaster recovery plan. Recommendations Arizona Office of the Auditor General Page i TABLE OF CONTENTS District Overview 1 Student achievement similar to peer districts’ and state averages 1 District operated efficiently overall 1 Finding 1: District needs to strengthen controls over computer systems and network 3 Increased risk of unauthorized access to critical computer systems and network 3 Lack of disaster recovery plan could result in interrupted operations or data loss 4 Recommendations 4 Appendix Objectives, Scope, and Methodology a-1 District Response Table 1 Comparison of per pupil expenditures by operational area Fiscal year 2013 (Unaudited) 2 Figure 1 Percentage of students who met or exceeded state standards (AIMS) Fiscal year 2013 (Unaudited) 1 Safford Unified School District • Report No. 15-211 Safford Unified School District • Report No. 15-211 Arizona Office of the Auditor General Safford Unified School District is a medium-large sized, rural district located in eastern Arizona in Graham County. In fiscal year 2013, the District served 3,057 students in kindergarten through 12th grade at its six schools, including 3 elementary schools, 1 middle school, 1 high school, and 1 alternative high school. In fiscal year 2013, Safford USD’s student achievement was similar to peer districts’, and the District operated efficiently overall with most costs lower than, or similar to, the peer districts’ averages.1 The District’s administrative cost per pupil was similar to the peer districts’ average, and its plant operations and food service program operated efficiently. Further, despite a higher cost per rider, the District’s transportation program was reasonably efficient. However, the District should strengthen controls over its computer network and systems. Student achievement similar to peer districts’ and state averages In fiscal year 2013, 66 percent of the District’s students met or exceeded state standards in math, 83 percent in reading, 57 percent in writing, and 60 percent in science. As shown in Figure 1, Safford USD’s math, reading, and writing scores were slightly higher than peer district averages, and its science scores were similar. Under the Arizona Department of Education’s A-F Letter Grade Accountability System, Safford USD received an overall letter grade of B for fiscal year 2013. Twelve of the 22 peer districts also received Bs, 2 peer districts received As, 5 peer districts received Cs, and 3 peer districts received Ds. The District’s 67 percent graduation rate in fiscal year 2013 was lower than the peer districts’ 81 percent average and the State’s 75 percent average. District operated efficiently overall As shown in Table 1 and based on auditors’ review of various performance measures, Safford USD operated efficiently overall in fiscal year 2013 with costs that were similar to, or lower than, peer district’s average costs in all operational areas. Operating efficiently allowed the District to spend 11 1 Auditors developed three peer groups for comparative purposes. See page a-1 of this report’s Appendix for further explanation of the peer groups. DISTRICT OVERVIEW 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Math Reading Writing Science Safford USD Peer group State-wide Figure 1: Percentage of students who met or exceeded state standards (AIMS) Fiscal year 2013 (Unaudited) Source: Auditor General staff analysis of fiscal year 2013 test results on Arizona’s Instrument to Measure Standards (AIMS). Page 1 Arizona Office of the Auditor General Page 2 Safford Unified School District • Report No. 15-211 percent, or $398, more per pupil in the classroom than peer districts, on average, despite spending less per pupil overall. Safford USD spent less, in part, because it received less federal grant monies, such as Title I, than the peer districts averaged because its poverty level was 6 percent lower than the peer districts’ average. Similar administrative costs but some improvements needed—Safford USD’s $779 administrative cost per pupil was similar to the peer districts’ $764 per pupil average. However, auditors identified some computer systems and network controls that need strengthening (see Finding 1, page 3). Much lower plant operations costs— Compared to peer districts’ averages, Safford USD’s fiscal year 2013 plant operations costs were 30 percent lower per square foot and 36 percent lower per student. The District spent less on plant operations primarily because some plant employees spent part of their time on student transportation, driving daily bus routes. As a result, the District employed fewer plant operations staff per square foot than the peer districts’ average. The District also used low-cost irrigation and desert landscaping to keep its water costs much lower than the peer districts’ average. In addition, the District kept its energy costs low partly because in fiscal year 2013, the District began controlling energy usage through a central energy management system that monitored and adjusted building temperatures to keep them within district-approved ranges. The District also upgraded its lighting to energy-efficient lighting fixtures. Finally, the District made efficient use of its building space by using an average of 80 percent of its building capacity. Efficient food service program—Safford USD’s $2.58 cost per meal was similar to the peer districts’ average of $2.67, and its cost per pupil was 10 percent lower. The District kept its costs down and maintained a self-sufficient program partly by negotiating favorable terms with its food service vendor, including paying substantially less for salaries and benefits than the average for the peer districts that also outsourced their food service operations. Transportation program reasonably efficient—Safford USD’s $3.43 cost per mile was 4 percent lower than the peer districts’ $3.58 average, and its $634 cost per rider was 37 percent higher than the peer districts’ $462 average. The District’s cost per rider was higher partly because it transported 27 percent fewer riders than the peer districts, on average, and therefore, certain costs, such as the transportation director’s salary, were spread over fewer riders when calculating the cost per rider. Despite the higher cost per rider, the District operated reasonably efficient bus routes, filling buses to 76 percent of seat capacity, on average. In addition, the District employed other cost-saving measures, including having its drivers perform other duties, such as maintenance, at the District when not driving. Safford USD Table 1: Spending Safford USD Peer group average State average Total per pupil $6,770 $7,187 $7,496 Classroom dollars 4,177 3,779 4,031 Nonclassroom dollars Administration 779 764 746 Plant operations 589 921 924 Food service 328 364 396 Transportation 226 394 369 Student support 366 561 582 Instruction support 305 404 448 Table 1: Comparison of per pupil expenditures by operational area Fiscal year 2013 (Unaudited) Source: Auditor General staff analysis of fiscal year 2013 Arizona Department of Education student membership data and district-reported accounting data. Arizona Office of the Auditor General Page 3 Safford Unified School District • Report No. 15-211 District needs to strengthen controls over computer systems and network In fiscal year 2013, Safford USD lacked adequate controls over its computer systems and network. Although no improper transactions were detected in the items auditors reviewed, these poor controls exposed the District to an increased risk of errors, fraud, unauthorized access to sensitive information, and loss of data. Increased risk of unauthorized access to critical computer systems and network Weak controls over user access to the District’s accounting and student information systems and computer network increased the risk of unauthorized access to these critical systems. Specifically: • Broad access to accounting system—Auditors reviewed the District’s accounting system user access report for all 36 users and identified 25 district employees who had more access to the accounting system than they needed to perform their job duties, including 24 employees who had the ability to perform all accounting system functions. Although no improper transactions were detected in the 30 payroll and 30 accounts payable transactions auditors reviewed, granting employees system access beyond what is required for their job duties, especially full system access, exposes the District to a greater risk of errors, misuse of sensitive information, and fraud, such as processing false invoices or adding and paying nonexistent vendors or employees. • Generic accounts—Auditors also reviewed the District’s user access reports for its network and systems and found that 18 network accounts, 4 accounting system accounts, and 1 student information system account were unnecessary, active generic accounts. Having generic accounts creates additional risk because they are not assigned to specific individuals and therefore make it difficult or impossible for the District to hold anyone accountable if inappropriate activity were conducted using these accounts. The District should eliminate all unnecessary generic accounts and minimize the number of generic accounts it maintains and establish proper controls over them, such as disabling them when not being used. • Inappropriate server room access—The District did not sufficiently protect its server room. The District’s servers were stored in a room next to its IT department offices, which was secured by lock and key. However, the server room was accessible to custodial and other non-IT staff who were assigned master keys to the District’s facilities, which increased the risk of network interruption due to intentional or accidental equipment damage. FINDING 1 Arizona Office of the Auditor General Page 4 Safford Unified School District • Report No. 15-211 Lack of disaster recovery plan could result in interrupted operations or data loss The District did not have a written, up-to-date, and tested disaster recovery plan for its network and critical financial and student information systems. A written and properly designed disaster recovery plan would help ensure continued operation in the case of a system or equipment failure or interruption. The plan should include detailed information on how to restore systems in such an event. As part of a disaster recovery plan, the District should also perform documented tests of its ability to restore electronic data files from data backups, which are important to ensure continuous accessibility to sensitive and critical data. Recommendations 1. The District should limit employees’ access to the accounting system to only the access necessary to meet their job responsibilities to help ensure that no single employee can complete transactions without an independent review. 2. The District should eliminate unnecessary generic user accounts in its network and systems and properly control any remaining generic accounts. 3. The District should limit physical access to its IT server room so that only appropriate personnel have access. 4. The District should create a formal disaster recovery plan and test it periodically to identify and remedy deficiencies. Arizona Office of the Auditor General Page a-1 APPENDIX Safford Unified School District • Report No. 15-211 Objectives, Scope, and Methodology The Office of the Auditor General has conducted a performance audit of the Safford Unified School District pursuant to Arizona Revised Statutes §41-1279.03(A)(9). Based in part on their effect on classroom dollars, as previously reported in the Office of the Auditor General’s annual report, Arizona School District Spending (Classroom Dollars report), this audit focused on the District’s efficiency and effectiveness in four operational areas: administration, plant operations and maintenance, food service, and student transportation. To evaluate costs in each of these areas, only operational spending, primarily for fiscal year 2013, was considered.1 Further, because of the underlying law initiating these performance audits, auditors also reviewed the District’s use of Proposition 301 sales tax monies and how it accounted for dollars spent in the classroom. In conducting this audit, auditors used a variety of methods, including examining various records, such as available fiscal year 2013 summary accounting data for all districts and Safford USD’s fiscal year 2013 detailed accounting data, contracts, and other district documents; reviewing district policies, procedures, and related internal controls; reviewing applicable statutes; and interviewing district administrators and staff. To compare districts’ academic indicators, auditors developed a student achievement peer group using poverty as the primary factor because poverty has been shown to be associated with student achievement. Auditors also used secondary factors such as district type and location to further refine these groups. Safford USD’s student achievement peer group includes Safford USD and the 22 other unified school districts that also served student populations with poverty rates between 20 and 27 percent in towns and rural areas. Auditors compared Safford USD’s graduation rate and its student AIMS scores to those of its peer group averages. The same grade levels were included to make the AIMS score comparisons between Safford USD and its peer group. AIMS scores were calculated using test results of the grade levels primarily tested, including grade levels 3 through 8 and 10 for math, reading, and writing, and grade levels 3 through 12 for science. Generally, auditors considered Safford USD’s student AIMS scores and graduation rate to be similar if they were within 5 percentage points of peer averages, slightly higher/lower if they were within 6 to 10 percentage points of peer averages, higher/lower if they were within 11 to 15 percentage points of peer averages, and much higher/lower if they were more than 15 percentage points higher/lower than peer averages. In determining the District’s overall student achievement level, auditors considered the differences in AIMS scores between Safford USD and its peers, as well as the District’s graduation rate and Arizona Department of Education-assigned letter grade.2 To analyze Safford USD’s operational efficiency in administration, plant operations, and food service, auditors selected a group of peer districts based on their similarities in district size, type, 1 Operational spending includes costs incurred for the District’s day-to-day operations. It excludes costs associated with repaying debt, capital outlay (such as purchasing land, buildings, and equipment), and programs such as adult education and community service that are outside the scope of preschool through grade 12 education. 2 The Arizona Department of Education’s A-F Letter Grade Accountability System assigns letter grades based primarily on academic growth and the number of students passing AIMS. Arizona Office of the Auditor General Page a-2 Safford Unified School District • Report No. 15-211 and location. This operational peer group includes Safford USD and 20 other unified or union high school districts that also served between 2,000 and 7,999 students and were located in towns and rural areas. To analyze Safford USD’s operational efficiency in transportation, auditors selected a group of peer districts based on their similarities in miles per rider and location. This transportation peer group includes Safford USD and 12 other school districts that also traveled less than 200 miles per rider and were located in towns and rural areas. Auditors compared Safford USD’s costs to its peer group averages. Generally, auditors considered Safford USD’s costs to be similar if they were within 5 percent of peer averages, slightly higher/lower if they were within 6 to 10 percent of peer averages, higher/lower if they were within 11 to 15 percent of peer averages, and much higher/lower if they were more than 15 percent higher/lower than peer averages. However, in determining the overall efficiency of Safford USD’s nonclassroom operational areas, auditors also considered other factors that affect costs and operational efficiency such as square footage per student, meal participation rates, and bus capacity utilization, as well as auditor observations and any unique or unusual challenges the District had. Additionally: • To assess the District’s computer information systems and network, auditors evaluated certain controls over its logical and physical security, including user access to sensitive data and critical systems, and the security of servers that house the data and systems. Auditors also evaluated certain district policies over the system such as data sensitivity, backup, and recovery. • To assess whether the District’s administration effectively and efficiently managed district operations, auditors evaluated administrative procedures and controls at the district and school level, including reviewing personnel files and other pertinent documents and interviewing district and school administrators about their duties. Auditors also reviewed and evaluated fiscal year 2013 administration costs and compared these to peer districts’. • To assess whether the District managed its plant operations and maintenance function appropriately and whether it functioned efficiently, auditors reviewed and evaluated fiscal year 2013 plant operations and maintenance costs and district building space, and compared these costs and capacities to peer districts’. • To assess whether the District managed its food service program appropriately and whether it functioned efficiently, auditors reviewed fiscal year 2013 food service revenues and expenditures, including labor and food costs; compared costs to peer districts’; reviewed the Arizona Department of Education’s food service-monitoring reports; reviewed point-of- sale system reports; and observed food service operations. Auditors also reviewed all documents related to the District’s contract with a food service management company to operate its food service program, including the fiscal year 2013 contract and all documents related to the procurement of the contract. • To assess whether the District managed its transportation program appropriately and whether it functioned efficiently, auditors reviewed and evaluated required transportation reports, driver files, bus maintenance and safety records, bus routing, and bus capacity usage, and reviewed the District’s procedures for purchasing and securing fuel. Auditors also reviewed fiscal year 2013 transportation costs and compared them to peer districts’ average costs. Arizona Office of the Auditor General Page a-3 Safford Unified School District • Report No. 15-211 • To assess whether the District was in compliance with Proposition 301’s Classroom Site Fund requirements, auditors reviewed fiscal year 2013 expenditures to determine whether they were appropriate and if the District properly accounted for them. No issues of noncompliance were identified. • To assess the District’s financial accounting data, auditors evaluated the District’s internal controls related to expenditure processing and scanned all fiscal year 2013 payroll and accounts payable transactions for proper account classification and reasonableness. Additionally, auditors reviewed detailed payroll and personnel records for 30 of the 477 individuals who received payments in fiscal year 2013 through the District’s payroll system and reviewed supporting documentation for 30 of the 8,100 fiscal year 2013 accounts payable transactions. No improper transactions were identified. Auditors also evaluated other internal controls that were considered significant to the audit objectives and reviewed fiscal year 2013 spending and prior years’ spending trends across operational areas. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The Auditor General and her staff express their appreciation to the Safford Unified School District’s board members, superintendent, and staff for their cooperation and assistance throughout the audit. DISTRICT RESPONSE DISTRICT RESPONSE FINDING 1: District needs to strengthen controls over computer systems and network. Recommendation 1: The District should limit employees’ access to the accounting system to only the access necessary to meet their job responsibilities to help ensure that no single employee can complete transactions without an independent review. District Response: The District concurs with this finding. Access levels will be defined as needed based on job positions and appropriate security access will be implemented. The IT Systems Administrator will be trained on managing access controls for the accounting system by the software vendor. Recommendation 2: The District should eliminate unnecessary generic user accounts in its network and systems and properly control any remaining generic accounts. District Response: The District concurs with this finding. Generic accounts were reviewed and unnecessary accounts were eliminated when the audit was still on site. A procedure to review the need of all accounts each quarter was also put in place. Generic accounts are now limited to: Technology testing accounts - necessary to test functionality of different user groups. Auto-login student accounts - necessary at the elementary schools so labs can function easily with young students and in the adult education programs due to sporadic and unpredictable enrollment. IT controls have been implemented to limit the resources available to these accounts. These accounts may only log into environments specifically designated for its intended purpose. Auto-login other account - necessary for Time Clock computers since those users do not have accounts, OPAC library catalogue, District office reception computer for job applications and lunch applications. Foods accounts because different users run the meal program. IT controls have been implemented to limit the resources available to these accounts. These accounts may only log into environments specifically designated for its intended purpose. Service accounts - unnecessary accounts were eliminated. Recommendation 3: The District should limit physical access to its IT server room so that only appropriate personnel have access. District Response: The District concurs with this finding. The replacement cores for the locks were ordered as part of the full District rekeying project. This will limit access to the server room, as well as campus site MDF’s and IDF’s to appropriate technology personnel only. Recommendation 4: The District should create a formal disaster recovery plan and test it periodically to identify and remedy deficiencies. District Response: The District concurs with this finding. Although the District had a Data Backup and Recovery plan in place, it was determined during audit this plan was not sufficient as a full disaster recovery plan with more detail and instruction necessary. The District has obtained copies of full disaster recovery plans from other school districts that meet the Auditor General's guidelines which is assisting the District as it amends its plan. Additionally, it is implementing a process for periodic review and testing of the disaster recovery plan.
Object Description
TITLE | Performance Audit, Safford Unified School District |
CREATOR | State of Arizona, Office of the Auditor General, Division of School Audits |
SUBJECT | School districts--Arizona--Graham County--Finance--Statistics; Education--Arizona--Graham County--Finance |
Browse Topic |
Education |
DESCRIPTION | This title contains one or more items. |
Language | English |
Contributor | State of Arizona, Office of the Auditor General |
TYPE | Text |
Source Identifier | LG 6.2: S 24 S 13/ 2015 /E |
Location | o922543399 |
REPOSITORY | Arizona State Library, Archives and Public Records—Law and Research Library |
Description
TITLE | Performance Audit, Safford Unified School District |
DESCRIPTION | 17 pages (PDF version). File size: 5,995 KB |
TYPE | Text |
Acquisition Note | Harvested from the Auditor General's website November 5, 2015. |
RIGHTS MANAGEMENT | Copyright to this resource is held by the creating agency and is provided here for educational purposes only. It may not be downloaded, reproduced or distributed in any format without written permission of the creating agency. Any attempt to circumvent the access controls placed on this file is a violation of United States and international copyright laws, and is subject to criminal prosecution. |
DATE ORIGINAL | 2015-09 |
Time Period |
2010s (2010-2019) |
ORIGINAL FORMAT | Born Digital |
Source Identifier | LG 6.2: S 24 S 13/ 2015 /E |
Location | o922543399 |
DIGITAL IDENTIFIER | Safford_USD_Report.pdf |
DIGITAL FORMAT |
PDF (Portable Document Format) |
REPOSITORY | Arizona State Library, Archives and Public Records—Law and Research Library |
File Size | 6138639 Bytes |
Full Text | Performance Audit Division of School Audits A REPORT TO THE ARIZONA LEGISLATURE September • 2015 Report No. 15-211 Debra K. Davenport Auditor General Safford Unified School District The Auditor General is appointed by the Joint Legislative Audit Committee, a bipartisan committee composed of five senators and five representatives. Her mission is to provide independent and impartial information and specific recommendations to improve the opera-tions of state and local government entities. To this end, she provides financial audits and accounting services to the State and political subdivisions, investigates possible misuse of public monies, and conducts performance audits of school districts, state agencies, and the programs they administer. The Joint Legislative Audit Committee Audit Staff Ross Ehrick, Director Ann Orrico, Manager and Contact Person Jennie Snedecor, Team Leader Jessica Cupero Nate Robb Joshua Roloson Alexa Tavasci The Auditor General’s reports are available at: www.azauditor.gov Printed copies of our reports may be requested by contacting us at: Office of the Auditor General 2910 N. 44th Street, Suite 410 • Phoenix, AZ 85018 • (602) 553-0333 Representative John Allen, Vice Chair Representative Regina Cobb Representative Debbie McCune Davis Representative Rebecca Rios Representative Kelly Townsend Representative David Gowan (ex officio) Senator Judy Burges, Chair Senator Nancy Barto Senator Lupe Contreras Senator David Farnsworth Senator Lynne Pancrazi Senator Andy Biggs (ex officio) 2910 NORTH 44th STREET • SUITE 410 • PHOENIX, ARIZONA 85018 • (602) 553-0333 • FAX (602) 553-0051 September 16, 2015 Members of the Arizona Legislature The Honorable Doug Ducey, Governor Governing Board Safford Unified School District Mr. Ken VanWinkle, Superintendent Safford Unified School District Transmitted herewith is a report of the Auditor General, A Performance Audit of the Safford Unified School District, conducted pursuant to A.R.S. §41-1279.03. I am also transmitting within this report a copy of the Report Highlights for this audit to provide a quick summary for your convenience. As outlined in its response, the District agrees with all of the findings and recommendations. My staff and I will be pleased to discuss or clarify items in the report. Sincerely, Debbie Davenport Auditor General Similar student achievement and efficient operations overall September • Report No. 15-211 2015 In fiscal year 2013, Safford USD’s student achievement was similar to peer districts’, and the District operated efficiently overall with costs that were lower than or similar to peer district averages. Safford USD’s administrative cost per pupil was similar to the peer districts’ average, but the District needs to strengthen controls over its computer systems and network. The District’s plant operations costs were much lower than peer districts’, primarily because the District employed fewer plant staff, used energy-and water-saving practices, and made efficient use of building space. In addition, the District’s food service program was self-sufficient, operating with a cost per meal that was similar to the peer district average, and its transportation program was reasonably efficient, with routes filling buses to 76 percent of capacity and drivers performing other duties, such as maintenance, when not driving. REPORT HIGHLIGHTS PERFORMANCE AUDIT Our Conclusion Safford Unified School District Student achievement similar to peer districts’—In fiscal year 2013, Safford USD’s student AIMS scores in math, reading, and writing were slightly higher than the peer districts’ averages, and its science scores were similar. Under the Arizona Department of Education’s A-F Letter Grade Accountability System, the District received an overall letter grade of B. Twelve of the 22 peer districts also received Bs, 2 peer districts received As, 5 peer districts received Cs, and 3 peer districts received Ds. Additionally, the District’s 67 percent graduation rate was lower than the peer districts’ 81 percent average and the State’s 75 percent average. Efficient operations overall—In fiscal year 2013, Safford USD operated efficiently overall, with costs that were lower than, or similar to, peer district averages. Operating efficiently allowed the District to spend 11 percent, or $398, more per pupil in the classroom than peer districts, on average, despite spending less per pupil overall. The District’s administrative cost per pupil was similar to the peer districts’ average, and its plant operations costs were much lower primarily because the District employed fewer plant operations staff, used energy- and water-saving practices, and made efficient use of building space. In addition, the District’s food service program was self-sufficient, operating with a cost per meal that was similar to the peer district average, and its transportation program was reasonably efficient, with routes filling buses to 76 percent of capacity and drivers performing other duties, such as maintenance, when not driving. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Math Reading Writing Science Safford USD Peer group State-wide Percentage of students who met or exceeded state standards (AIMS) Fiscal year 2013 Safford USD Table 1: Safford USD Peer group average Administration $779 $764 Plant operations 589 921 Food service 328 364 Transportation 226 394 Comparison of per pupil expenditures by operational area Fiscal year 2013 In fiscal year 2013, Safford USD lacked adequate controls over its computer systems and network. Although no improper transactions were detected in the items auditors reviewed, these poor controls exposed the District to an increased risk of errors, fraud, unauthorized access to sensitive information, and loss of data. More specifically: • Broad access to accounting system—Twenty-five of the District’s 36 accounting system users had more access to the system than they needed to perform their job duties, including 24 employees who had the ability to perform all accounting system District needs to strengthen its computer controls REPORT HIGHLIGHTS PERFORMANCE AUDIT September 2015 • Report No. 15-211 A copy of the full report is available at: www.azauditor.gov Contact person: Ann Orrico (602) 553-0333 Safford Unified School District functions. Granting employees system access beyond what is required for their job duties, especially full system access, exposes the District to a greater risk of errors, misuse of sensitive information, and fraud, such as processing false invoices or adding and paying nonexistent vendors or employees. • Generic accounts—We found that 18 network accounts, 4 accounting system accounts, and 1 student information system account were unnecessary, active generic accounts not assigned to specific users, making it difficult or impossible to hold anyone accountable if inappropriate activity occurred while using these accounts. • Inappropriate server room access—The District’s servers were stored in a room next to its IT department offices, which was secured by lock and key. However, the server room was accessible to custodial and other non-IT staff who were assigned master keys to the District’s facilities, which increased the risk of network interruption due to intentional or accidental equipment damage. • Lack of a disaster recovery plan—The District lacked a written, up-to-date, and tested disaster recovery plan for its network and critical financial and student information systems. Having a written and properly designed disaster recovery plan would help ensure continuous accessibility to sensitive and critical data in the event of a system or equipment failure or interruption. The District should: • Modify employee access to its accounting system to ensure that an employee cannot initiate and complete a transaction without independent review and approval. • Eliminate unnecessary generic user accounts in its network and systems and properly control any remaining generic accounts. • Limit physical access to its computer server room. • Create and test a formal disaster recovery plan. Recommendations Arizona Office of the Auditor General Page i TABLE OF CONTENTS District Overview 1 Student achievement similar to peer districts’ and state averages 1 District operated efficiently overall 1 Finding 1: District needs to strengthen controls over computer systems and network 3 Increased risk of unauthorized access to critical computer systems and network 3 Lack of disaster recovery plan could result in interrupted operations or data loss 4 Recommendations 4 Appendix Objectives, Scope, and Methodology a-1 District Response Table 1 Comparison of per pupil expenditures by operational area Fiscal year 2013 (Unaudited) 2 Figure 1 Percentage of students who met or exceeded state standards (AIMS) Fiscal year 2013 (Unaudited) 1 Safford Unified School District • Report No. 15-211 Safford Unified School District • Report No. 15-211 Arizona Office of the Auditor General Safford Unified School District is a medium-large sized, rural district located in eastern Arizona in Graham County. In fiscal year 2013, the District served 3,057 students in kindergarten through 12th grade at its six schools, including 3 elementary schools, 1 middle school, 1 high school, and 1 alternative high school. In fiscal year 2013, Safford USD’s student achievement was similar to peer districts’, and the District operated efficiently overall with most costs lower than, or similar to, the peer districts’ averages.1 The District’s administrative cost per pupil was similar to the peer districts’ average, and its plant operations and food service program operated efficiently. Further, despite a higher cost per rider, the District’s transportation program was reasonably efficient. However, the District should strengthen controls over its computer network and systems. Student achievement similar to peer districts’ and state averages In fiscal year 2013, 66 percent of the District’s students met or exceeded state standards in math, 83 percent in reading, 57 percent in writing, and 60 percent in science. As shown in Figure 1, Safford USD’s math, reading, and writing scores were slightly higher than peer district averages, and its science scores were similar. Under the Arizona Department of Education’s A-F Letter Grade Accountability System, Safford USD received an overall letter grade of B for fiscal year 2013. Twelve of the 22 peer districts also received Bs, 2 peer districts received As, 5 peer districts received Cs, and 3 peer districts received Ds. The District’s 67 percent graduation rate in fiscal year 2013 was lower than the peer districts’ 81 percent average and the State’s 75 percent average. District operated efficiently overall As shown in Table 1 and based on auditors’ review of various performance measures, Safford USD operated efficiently overall in fiscal year 2013 with costs that were similar to, or lower than, peer district’s average costs in all operational areas. Operating efficiently allowed the District to spend 11 1 Auditors developed three peer groups for comparative purposes. See page a-1 of this report’s Appendix for further explanation of the peer groups. DISTRICT OVERVIEW 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Math Reading Writing Science Safford USD Peer group State-wide Figure 1: Percentage of students who met or exceeded state standards (AIMS) Fiscal year 2013 (Unaudited) Source: Auditor General staff analysis of fiscal year 2013 test results on Arizona’s Instrument to Measure Standards (AIMS). Page 1 Arizona Office of the Auditor General Page 2 Safford Unified School District • Report No. 15-211 percent, or $398, more per pupil in the classroom than peer districts, on average, despite spending less per pupil overall. Safford USD spent less, in part, because it received less federal grant monies, such as Title I, than the peer districts averaged because its poverty level was 6 percent lower than the peer districts’ average. Similar administrative costs but some improvements needed—Safford USD’s $779 administrative cost per pupil was similar to the peer districts’ $764 per pupil average. However, auditors identified some computer systems and network controls that need strengthening (see Finding 1, page 3). Much lower plant operations costs— Compared to peer districts’ averages, Safford USD’s fiscal year 2013 plant operations costs were 30 percent lower per square foot and 36 percent lower per student. The District spent less on plant operations primarily because some plant employees spent part of their time on student transportation, driving daily bus routes. As a result, the District employed fewer plant operations staff per square foot than the peer districts’ average. The District also used low-cost irrigation and desert landscaping to keep its water costs much lower than the peer districts’ average. In addition, the District kept its energy costs low partly because in fiscal year 2013, the District began controlling energy usage through a central energy management system that monitored and adjusted building temperatures to keep them within district-approved ranges. The District also upgraded its lighting to energy-efficient lighting fixtures. Finally, the District made efficient use of its building space by using an average of 80 percent of its building capacity. Efficient food service program—Safford USD’s $2.58 cost per meal was similar to the peer districts’ average of $2.67, and its cost per pupil was 10 percent lower. The District kept its costs down and maintained a self-sufficient program partly by negotiating favorable terms with its food service vendor, including paying substantially less for salaries and benefits than the average for the peer districts that also outsourced their food service operations. Transportation program reasonably efficient—Safford USD’s $3.43 cost per mile was 4 percent lower than the peer districts’ $3.58 average, and its $634 cost per rider was 37 percent higher than the peer districts’ $462 average. The District’s cost per rider was higher partly because it transported 27 percent fewer riders than the peer districts, on average, and therefore, certain costs, such as the transportation director’s salary, were spread over fewer riders when calculating the cost per rider. Despite the higher cost per rider, the District operated reasonably efficient bus routes, filling buses to 76 percent of seat capacity, on average. In addition, the District employed other cost-saving measures, including having its drivers perform other duties, such as maintenance, at the District when not driving. Safford USD Table 1: Spending Safford USD Peer group average State average Total per pupil $6,770 $7,187 $7,496 Classroom dollars 4,177 3,779 4,031 Nonclassroom dollars Administration 779 764 746 Plant operations 589 921 924 Food service 328 364 396 Transportation 226 394 369 Student support 366 561 582 Instruction support 305 404 448 Table 1: Comparison of per pupil expenditures by operational area Fiscal year 2013 (Unaudited) Source: Auditor General staff analysis of fiscal year 2013 Arizona Department of Education student membership data and district-reported accounting data. Arizona Office of the Auditor General Page 3 Safford Unified School District • Report No. 15-211 District needs to strengthen controls over computer systems and network In fiscal year 2013, Safford USD lacked adequate controls over its computer systems and network. Although no improper transactions were detected in the items auditors reviewed, these poor controls exposed the District to an increased risk of errors, fraud, unauthorized access to sensitive information, and loss of data. Increased risk of unauthorized access to critical computer systems and network Weak controls over user access to the District’s accounting and student information systems and computer network increased the risk of unauthorized access to these critical systems. Specifically: • Broad access to accounting system—Auditors reviewed the District’s accounting system user access report for all 36 users and identified 25 district employees who had more access to the accounting system than they needed to perform their job duties, including 24 employees who had the ability to perform all accounting system functions. Although no improper transactions were detected in the 30 payroll and 30 accounts payable transactions auditors reviewed, granting employees system access beyond what is required for their job duties, especially full system access, exposes the District to a greater risk of errors, misuse of sensitive information, and fraud, such as processing false invoices or adding and paying nonexistent vendors or employees. • Generic accounts—Auditors also reviewed the District’s user access reports for its network and systems and found that 18 network accounts, 4 accounting system accounts, and 1 student information system account were unnecessary, active generic accounts. Having generic accounts creates additional risk because they are not assigned to specific individuals and therefore make it difficult or impossible for the District to hold anyone accountable if inappropriate activity were conducted using these accounts. The District should eliminate all unnecessary generic accounts and minimize the number of generic accounts it maintains and establish proper controls over them, such as disabling them when not being used. • Inappropriate server room access—The District did not sufficiently protect its server room. The District’s servers were stored in a room next to its IT department offices, which was secured by lock and key. However, the server room was accessible to custodial and other non-IT staff who were assigned master keys to the District’s facilities, which increased the risk of network interruption due to intentional or accidental equipment damage. FINDING 1 Arizona Office of the Auditor General Page 4 Safford Unified School District • Report No. 15-211 Lack of disaster recovery plan could result in interrupted operations or data loss The District did not have a written, up-to-date, and tested disaster recovery plan for its network and critical financial and student information systems. A written and properly designed disaster recovery plan would help ensure continued operation in the case of a system or equipment failure or interruption. The plan should include detailed information on how to restore systems in such an event. As part of a disaster recovery plan, the District should also perform documented tests of its ability to restore electronic data files from data backups, which are important to ensure continuous accessibility to sensitive and critical data. Recommendations 1. The District should limit employees’ access to the accounting system to only the access necessary to meet their job responsibilities to help ensure that no single employee can complete transactions without an independent review. 2. The District should eliminate unnecessary generic user accounts in its network and systems and properly control any remaining generic accounts. 3. The District should limit physical access to its IT server room so that only appropriate personnel have access. 4. The District should create a formal disaster recovery plan and test it periodically to identify and remedy deficiencies. Arizona Office of the Auditor General Page a-1 APPENDIX Safford Unified School District • Report No. 15-211 Objectives, Scope, and Methodology The Office of the Auditor General has conducted a performance audit of the Safford Unified School District pursuant to Arizona Revised Statutes §41-1279.03(A)(9). Based in part on their effect on classroom dollars, as previously reported in the Office of the Auditor General’s annual report, Arizona School District Spending (Classroom Dollars report), this audit focused on the District’s efficiency and effectiveness in four operational areas: administration, plant operations and maintenance, food service, and student transportation. To evaluate costs in each of these areas, only operational spending, primarily for fiscal year 2013, was considered.1 Further, because of the underlying law initiating these performance audits, auditors also reviewed the District’s use of Proposition 301 sales tax monies and how it accounted for dollars spent in the classroom. In conducting this audit, auditors used a variety of methods, including examining various records, such as available fiscal year 2013 summary accounting data for all districts and Safford USD’s fiscal year 2013 detailed accounting data, contracts, and other district documents; reviewing district policies, procedures, and related internal controls; reviewing applicable statutes; and interviewing district administrators and staff. To compare districts’ academic indicators, auditors developed a student achievement peer group using poverty as the primary factor because poverty has been shown to be associated with student achievement. Auditors also used secondary factors such as district type and location to further refine these groups. Safford USD’s student achievement peer group includes Safford USD and the 22 other unified school districts that also served student populations with poverty rates between 20 and 27 percent in towns and rural areas. Auditors compared Safford USD’s graduation rate and its student AIMS scores to those of its peer group averages. The same grade levels were included to make the AIMS score comparisons between Safford USD and its peer group. AIMS scores were calculated using test results of the grade levels primarily tested, including grade levels 3 through 8 and 10 for math, reading, and writing, and grade levels 3 through 12 for science. Generally, auditors considered Safford USD’s student AIMS scores and graduation rate to be similar if they were within 5 percentage points of peer averages, slightly higher/lower if they were within 6 to 10 percentage points of peer averages, higher/lower if they were within 11 to 15 percentage points of peer averages, and much higher/lower if they were more than 15 percentage points higher/lower than peer averages. In determining the District’s overall student achievement level, auditors considered the differences in AIMS scores between Safford USD and its peers, as well as the District’s graduation rate and Arizona Department of Education-assigned letter grade.2 To analyze Safford USD’s operational efficiency in administration, plant operations, and food service, auditors selected a group of peer districts based on their similarities in district size, type, 1 Operational spending includes costs incurred for the District’s day-to-day operations. It excludes costs associated with repaying debt, capital outlay (such as purchasing land, buildings, and equipment), and programs such as adult education and community service that are outside the scope of preschool through grade 12 education. 2 The Arizona Department of Education’s A-F Letter Grade Accountability System assigns letter grades based primarily on academic growth and the number of students passing AIMS. Arizona Office of the Auditor General Page a-2 Safford Unified School District • Report No. 15-211 and location. This operational peer group includes Safford USD and 20 other unified or union high school districts that also served between 2,000 and 7,999 students and were located in towns and rural areas. To analyze Safford USD’s operational efficiency in transportation, auditors selected a group of peer districts based on their similarities in miles per rider and location. This transportation peer group includes Safford USD and 12 other school districts that also traveled less than 200 miles per rider and were located in towns and rural areas. Auditors compared Safford USD’s costs to its peer group averages. Generally, auditors considered Safford USD’s costs to be similar if they were within 5 percent of peer averages, slightly higher/lower if they were within 6 to 10 percent of peer averages, higher/lower if they were within 11 to 15 percent of peer averages, and much higher/lower if they were more than 15 percent higher/lower than peer averages. However, in determining the overall efficiency of Safford USD’s nonclassroom operational areas, auditors also considered other factors that affect costs and operational efficiency such as square footage per student, meal participation rates, and bus capacity utilization, as well as auditor observations and any unique or unusual challenges the District had. Additionally: • To assess the District’s computer information systems and network, auditors evaluated certain controls over its logical and physical security, including user access to sensitive data and critical systems, and the security of servers that house the data and systems. Auditors also evaluated certain district policies over the system such as data sensitivity, backup, and recovery. • To assess whether the District’s administration effectively and efficiently managed district operations, auditors evaluated administrative procedures and controls at the district and school level, including reviewing personnel files and other pertinent documents and interviewing district and school administrators about their duties. Auditors also reviewed and evaluated fiscal year 2013 administration costs and compared these to peer districts’. • To assess whether the District managed its plant operations and maintenance function appropriately and whether it functioned efficiently, auditors reviewed and evaluated fiscal year 2013 plant operations and maintenance costs and district building space, and compared these costs and capacities to peer districts’. • To assess whether the District managed its food service program appropriately and whether it functioned efficiently, auditors reviewed fiscal year 2013 food service revenues and expenditures, including labor and food costs; compared costs to peer districts’; reviewed the Arizona Department of Education’s food service-monitoring reports; reviewed point-of- sale system reports; and observed food service operations. Auditors also reviewed all documents related to the District’s contract with a food service management company to operate its food service program, including the fiscal year 2013 contract and all documents related to the procurement of the contract. • To assess whether the District managed its transportation program appropriately and whether it functioned efficiently, auditors reviewed and evaluated required transportation reports, driver files, bus maintenance and safety records, bus routing, and bus capacity usage, and reviewed the District’s procedures for purchasing and securing fuel. Auditors also reviewed fiscal year 2013 transportation costs and compared them to peer districts’ average costs. Arizona Office of the Auditor General Page a-3 Safford Unified School District • Report No. 15-211 • To assess whether the District was in compliance with Proposition 301’s Classroom Site Fund requirements, auditors reviewed fiscal year 2013 expenditures to determine whether they were appropriate and if the District properly accounted for them. No issues of noncompliance were identified. • To assess the District’s financial accounting data, auditors evaluated the District’s internal controls related to expenditure processing and scanned all fiscal year 2013 payroll and accounts payable transactions for proper account classification and reasonableness. Additionally, auditors reviewed detailed payroll and personnel records for 30 of the 477 individuals who received payments in fiscal year 2013 through the District’s payroll system and reviewed supporting documentation for 30 of the 8,100 fiscal year 2013 accounts payable transactions. No improper transactions were identified. Auditors also evaluated other internal controls that were considered significant to the audit objectives and reviewed fiscal year 2013 spending and prior years’ spending trends across operational areas. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The Auditor General and her staff express their appreciation to the Safford Unified School District’s board members, superintendent, and staff for their cooperation and assistance throughout the audit. DISTRICT RESPONSE DISTRICT RESPONSE FINDING 1: District needs to strengthen controls over computer systems and network. Recommendation 1: The District should limit employees’ access to the accounting system to only the access necessary to meet their job responsibilities to help ensure that no single employee can complete transactions without an independent review. District Response: The District concurs with this finding. Access levels will be defined as needed based on job positions and appropriate security access will be implemented. The IT Systems Administrator will be trained on managing access controls for the accounting system by the software vendor. Recommendation 2: The District should eliminate unnecessary generic user accounts in its network and systems and properly control any remaining generic accounts. District Response: The District concurs with this finding. Generic accounts were reviewed and unnecessary accounts were eliminated when the audit was still on site. A procedure to review the need of all accounts each quarter was also put in place. Generic accounts are now limited to: Technology testing accounts - necessary to test functionality of different user groups. Auto-login student accounts - necessary at the elementary schools so labs can function easily with young students and in the adult education programs due to sporadic and unpredictable enrollment. IT controls have been implemented to limit the resources available to these accounts. These accounts may only log into environments specifically designated for its intended purpose. Auto-login other account - necessary for Time Clock computers since those users do not have accounts, OPAC library catalogue, District office reception computer for job applications and lunch applications. Foods accounts because different users run the meal program. IT controls have been implemented to limit the resources available to these accounts. These accounts may only log into environments specifically designated for its intended purpose. Service accounts - unnecessary accounts were eliminated. Recommendation 3: The District should limit physical access to its IT server room so that only appropriate personnel have access. District Response: The District concurs with this finding. The replacement cores for the locks were ordered as part of the full District rekeying project. This will limit access to the server room, as well as campus site MDF’s and IDF’s to appropriate technology personnel only. Recommendation 4: The District should create a formal disaster recovery plan and test it periodically to identify and remedy deficiencies. District Response: The District concurs with this finding. Although the District had a Data Backup and Recovery plan in place, it was determined during audit this plan was not sufficient as a full disaster recovery plan with more detail and instruction necessary. The District has obtained copies of full disaster recovery plans from other school districts that meet the Auditor General's guidelines which is assisting the District as it amends its plan. Additionally, it is implementing a process for periodic review and testing of the disaster recovery plan. |