Information Technology Risk Considerations

By: Brian R. DuMond, CPA (Feb, 2012)

The February 2012 issue of Tone at the Top, a newsletter produced by the Institute of Internal Auditors, had an excellent article regarding Audit Committees entitled "Rest Assured." In that article, a survey of 250 audit committee members was cited in which the areas of strategic planning and oversight of technology risks as two of the top challenges that their respective organizations faced. In regard to technology risks, the article cited that today's concerns include concepts such as cloud computing, social media, and mobile technology. In addition, cyber-security was cited as one of the leading risks that today's organizations must confront.

As a school board member, you are faced with even greater challenges than many of the other industries. With a tax cap and declining state aid limiting the district's revenue growth combined with rising costs and no relief in sight for unfunded mandates, school districts are forced to work with less. School districts are constantly evaluating the resources they can invest in non-instructional costs including its Information Technology (IT) department. In short, many IT departments may be understaffed or dependent on one person to help a district navigate through these challenges. This could create additional risk in this area that either has gone unidentified or unaddressed.

We offer the following questions for board members to consider when evaluating their information technology risks.

    • How does your district secure sensitive district data on mobile IT equipment such as lap tops, smart phones, I-pads, etc.?

 

    • When the district disposes of its computers, copiers, etc., how is the data stored in these devices destroyed?

 

    • How is financial data, instructional data and personal data of the employees, students and their families maintained, stored, and protected from unauthorized access/use?

 

    • Where is the data stored, and how is it protected from hackers, natural disaster, etc.?

 

    • What is the district's plan to get up and running should their main server(s) go down?

 

    • Has this plan been tested?

 

    • If part of the district's plan partially involves reliance on another entity such as a BOCES, has there been a gap analysis done as to where the district plan leaves off and the other entity's plan begins?

 

    • Does that district use any proprietary software or software that has been modified? If so, has there been an evaluation of ongoing support for the software?

 

    • What is the age vs. useful life of the district's computer hardware?

 

    • Does the district's policies include one for mobile IT equipment, internet safety, and social media?

 

We encourage board of education and/or audit committee members to gain an understanding of how the district is managing its IT risk including what controls are in place to mitigate these risks.