A new report from the Kansas Legislative Division of Post Audit has found a troubling lack of security control over access to school district finances and accounting systems.
LPA reviewed the accounting system access controls of 20 districts and found “only some had adequate access controls for their accounting systems, and very few had adequate written policies.”
LPA audits account management, identity management and user limits for access to the accounting systems and LPA found that none of the districts had “adequate IT security access control practices in all three categories.”
Nineteen of 20 districts lacked all expected account management control practices. Sixteen of 20 did not have identity management practices.
The situation was only slightly better in limiting the access of users to those who had a need to access the accounting system.
More than half of the districts — 11-of-20 — “had all expected controls in place to limit user access to their accounting systems, and most school districts had at least four of the five controls we reviewed.”
However, the report said that very few of the districts reviewed had “adequate written policies related to any access controls for their accounting systems.” It noted that smaller districts were more likely to lack access controls for their accounting systems.”
Indeed, the report found that in some districts, former employees retained access to the accounting system for weeks after they left employment, rather than having their credentials terminated immediately.
All of this becomes more troubling when expanded to the 286 districts across the state, which collectively manage some $8.5 billion in taxpayer funds.
According to the report, while the Kansas State Department of Education requires districts to regularly report on their finances — and while districts are regularly audited to make sure they comply with accounting best practices — the audits do not take into account IT security controls.
LPA noted that districts “house more data and processes in computerized systems than ever before,” and ” This means that school districts must be proactive with implementing computer-based controls to keep their data and processes safe and secure.”
KSDE does not require districts to implement security controls
According to the report, districts are exempt from the security requirements state agencies must follow. Districts must comply with other state and federal laws, such as the Family Educational Rights and Privacy Act (FERPA) and the Kansas Student Data Privacy Act, but neither requires school districts to implement specific IT security controls.
Likewise, KSDE does not mandate any specific security controls for accounting systems. Indeed, a 2021 audit on school districts’ self-reported IT security practices found many districts did not follow basic security standards. KSDE, at the time, “took several actions to help improve districts’ IT security processes. These actions included creating a K-12 technology council, creating an IT technology webpage, making security awareness training available to all districts at no cost, and providing districts with templates they should consider when developing security policies.
However, KSDE stopped short of requiring districts to follow a minimum set of security standards, nor are there any such requirements in Kansas law, nor does the department “formally provide criteria or guidance to school districts regarding accounting system controls.”
KSDE said in its response that it is “already working on more formal guidance for IT security best practices that will be provided to districts for their consideration.”
KSDE also said that districts tend to rely on the Kansas Association of School Boards (KASB) for guidance in writing policies — which means that districts often do not have many policies beyond those they adopt from KASB.
According to auditors, KASB guidance does state that “‘superintendents are responsible for ensuring that accounting systems have internal controls,'” but this is too vague to be considered sufficient for the types of access controls we evaluated. It was unsurprising to KSDE officials that many districts lacked district-level formal policies specific to accounting system access. KSDE officials told us that their own guidance is more focused on practices rather than formalized policies.”
Auditors recommended that KSDE develop “resources such as policy templates and provide routine guidance to school districts related to accounting system access controls, specifically in the three categories of account management, identity management, and user limits controls, and that the districts they audited — which were unnamed for security reasons — do so as well.
“The lack of written policies or well-defined practice leaves districts’ accounting systems vulnerable to unauthorized access,” the report concludes. “We found that school districts are not held to any standard set of IT security requirements. As such, districts took different approaches to managing their accounting system access.
“Larger districts met more of the access controls we evaluated. That’s largely because they have the staff, software, and knowledge to maintain a more secure system. Smaller districts tended to lack many of the access controls we evaluated. In several cases, smaller districts described ad-hoc or informal practices related to access controls. While smaller districts may have less staff and little turnover, it’s still critical they implement access controls to help prevent unauthorized access to this sensitive information system.”
