State audit finds no abuse but potential for misuse

VOORHEESVILLE — An audit by the state comptroller’s office found that there is some potential for the “loss or misuse” of school district funds, but no evidence of abuse.

District officials have committed to acting on the recommendations from the comptroller’s office.

“The district did not have a banking agreement with each bank that it uses for electronic transfers.  In addition, the treasurer’s method of accessing the banking websites is not secure,” according to the state-required audit report, based on an examination of district financial management between July 1, 2008 and May 4, 2010.  “As a result, district funds are at risk of loss and misuse.  Based on our testing, we found no inappropriate or unauthorized transfers of district funds,” the report says.

The district tightened its internal controls after its former superintendent and assistant superintendent for business were accused by the comptroller’s office in 2006 of making improper payments to themselves totaling $216,000.

According to the current audit, the proper procedure for wire transfers includes authorization supported by documents that itemize the purpose, source, destination, and amount of the transfer.  Before transferring the funds, the bank should check the request with a district official other than the person who made the request.

“The board adopted a written policy related to approving, initiating, documenting, reconciling, and monitoring wire transfers,” the report says of the district’s seven-member school board.  “However, the district did not have a banking agreement with each bank that it uses for electronic transfers.”

Of the three banks with which the district does online banking, two of them handle electronic transfers but the district has an electronic banking agreement with just one of them, according to the report.

Superintendent Teresa Thayer Snyder responded in a Feb. 7 letter to the comptroller’s office that the district is developing an online banking agreement that will comply with General Municipal Law and a security procedure as defined in Uniform Commercial Code.

The comptroller’s office reviewed 15 online bank transfers from the 2008-09 and 2009-10 fiscal years totaling about $9 million.  The office found that all of them, which had been selected to include samples from all the district’s banks, multiple bank accounts, covering a range of amounts, “had documentation showing that the transfers were authorized by the assistant superintendent or other authorized district employee prior to the transfers being made by the treasurer, the transfers were for legitimate district purposes, and, when necessary, the transfers had the authorization of a secondary official of the district,” according to the report.  “We did not find any inappropriate or unauthorized transfers,” it concluded.

On a related note, the comptroller’s office found that “access to the bank website is not adequately secured,” since auditors witnessed the treasurer go to the bank’s website through a link from the district website rather than by typing the address in to the web browser’s address bar.  “We also found that the treasurer did not erase the web browser cache, temporary Internet files, cookies, or history after online banking session.  As a result, the district is at higher risk for financial losses.”

The comptroller’s office recommended that the district establish procedures prohibiting the use of links to banking websites and encouraging employees to erase the web browser cache, temporary Internet files, cookies, and history.  The district has implemented all those recommendations, Snyder responded.

The final problem identified in the audit is that “district officials have not developed procedures to properly sanitize computer equipment before disposal,” which means that people’s personal information could later be retrieved from the equipment.

Snyder responded that the district would present the school board with a policy for properly sanitizing computer equipment by May 31.