Fla. Auditor General Issues Operational Audit on Union County District School Board

TALLAHASSEE, Florida, Dec. 29 -- The Florida Auditor General released the following operational audit (No. 2024-095) on Dec. 15, 2023, involving Union County District School Board.

Here are excerpts:

* * *

SUMMARY

This operational audit of the Union County School District (District) focused on selected District processes and administrative activities and included a follow-up on findings noted in our report No. 2021-040. Our operational audit disclosed the following:

Finding 1: Although required by State law, Board policies did not require searches of prospective school volunteer names against the National Sexual Offender Public Web site.

Finding 2: The District did not comply with State law by timely and prominently posting on its Web site the required proposed, tentative, and final budget information for the 2022-23 fiscal year. A similar finding was noted in our report No. 2021-040.

Finding 3: The District did not annually test the Board-approved information technology (IT) disaster recovery plan and alternate site agreement by accessing and running critical applications and processes from an alternate site.

Finding 4: The District needs to establish a comprehensive IT risk assessment to provide a documented basis for managing IT risks.

BACKGROUND

The Union County School District (District) is part of the State system of public education under the general direction of the Florida Department of Education and is governed by State law and State Board of Education rules. Geographic boundaries of the District correspond with those of Union County. The governing body of the District is the Union County District School Board (Board), which is composed of five elected members. The elected Superintendent of Schools is the Executive Officer of the Board. During the 2022-23 fiscal year, the District operated four elementary, middle, high, and specialized schools; and reported 2,273 unweighted full-time equivalent students.

* * *

FINDINGS AND RECOMMENDATIONS

Finding 1: School Volunteers

State law/1 requires, before making any decision to appoint a person to work as a volunteer where children regularly congregate, a search of that person's name or other identifying information be conducted against the registration information regarding sexual predators and sexual offenders through the Dru Sjodin National Sexual Offender Public Web site (NSOPW) maintained by the United States Department of Justice. If that site is not available, a search of the Florida Department of Law Enforcement (FDLE) registration information regarding sexual predators and sexual offenders is required. State law

* * *

1 Section 943.04351, Florida Statutes.

* * *

also provides that the search does not apply to positions or appointments for which a level 2 background screening is conducted.

Pursuant to Board policies,/2 school volunteers are required to complete a volunteer application and submit to a Statewide criminal and FDLE sexual offender registry search, and volunteers whose work will entail being left alone with a student are required to undergo a level 2 background screening./3 However, Board policies did not require searches of volunteer names or other identifying information be conducted against NSOPW information.

Although FDLE registry searches provide some assurances, the data in the FDLE registry is not as extensive as the national data provided by the NSOPW. In response to our inquiry, District personnel indicated that they were unaware of the requirement to complete a search against the NSOPW information for volunteer applicants. NSOPW searches would provide greater assurance as to the suitability of the backgrounds of individuals and are essential given the risks associated with allowing individuals access to places where children regularly congregate.

While the 112 volunteers who provided supervised student services during the 2022-23 school year were subjected to the FDLE registry search, a search of the individual's name or other identifying information was not conducted against the NSOPW information. As part of our audit, we performed a search of the names for 30 of the 112 volunteers against the NSOPW database and none of the 30 volunteers were listed as a sexual predator or sexual offender. However, our procedures cannot substitute for management's responsibility to establish appropriate controls over student safety. Absent such controls, there is an increased risk that volunteers with unsuitable backgrounds may have direct contact with students.

Recommendation: For those school volunteers not subjected to level 2 background screenings, the District should take immediate action to properly search pursuant to State law the individual's name and make appropriate decisions based on the search results. In addition, Board policies should be revised to require that, before making a decision to appoint a person who has not obtained a level 2 background screening to work as a volunteer where children regularly congregate, a search of that person's name or other identifying information be conducted against the NSOPW information and records be maintained to evidence the results of the search.

Finding 2: Fiscal Transparency

To promote responsible spending, more citizen involvement, and improved accountability, it is important for the District to provide easy access to its budget and related information. Pursuant to State law,/4 the District must post on its Web site graphical representations, for each public school within the District and for the District, of summary financial efficiency data and fiscal trend information for the previous 3 years, and the Web site must also include a link to the Web-based fiscal transparency tool developed by the FDOE pursuant to State law./5 The District is also required to post on its Web site a plain language version

* * *

2/ Board Policy 3.13, School Volunteers.

3/ A level 2 background screening includes fingerprinting for Statewide criminal history records checks through the FDLE and national criminal history records checks through the Federal Bureau of Investigation.

4/ Section 1011.035(2), Florida Statutes.

5/ Section 1010.20, Florida Statutes.

* * *

of each proposed, tentative, and official budget that describes each budget item in terms that are easily understandable to the public.

At the time of our review in June 2023, although District personnel had posted the required graphical representations for the previous 3 years and the link to the Web-based fiscal transparency tool developed by the FDOE, the proposed/tentative and official budgets were not posted for the 2022-23 fiscal year. In response to our inquiry, District personnel indicated that the postings were overlooked.

Subsequent to our inquiries, the official 2022-23 fiscal year budget was posted in June 2023 and the proposed/tentative budgets were posted in October 2023. Providing the required fiscal transparency information on the District Web site enhances citizen involvement and the ability to analyze, monitor, and evaluate District budget outcomes. A similar finding was noted in our report No. 2021-040.

Recommendation: The District should continue efforts to comply with statutory transparency requirements by timely posting all required information on the District Web site.

Finding 3: Information Technology Disaster Recovery Plan

An important element of an effective internal control system over information technology (IT) operations is a disaster recovery plan to help minimize data and asset loss in the event of a major hardware or software failure. A disaster recovery plan should identify key recovery personnel and critical applications, provide for backups of critical data sets, and provide a step-by-step plan for recovery. In addition, plan elements should be tested periodically to disclose any areas not addressed and to facilitate proper conduct in an actual disruption of IT operations.

The District obtains certain IT services, such as financial, payroll, and other critical applications from the North East Florida Educational Consortium (NEFEC)./6 NEFEC developed an IT disaster recovery plan whereby member districts agreed to serve as alternate-processing sites for each other in the event of a disaster that interrupts critical IT operations. In addition, the Board-established comprehensive disaster recovery plan assigns responsibilities for recovery activities to key employees and backup personnel, prioritizes critical operations and data, and details the specific procedures to be followed when NEFEC is inoperable or other events interrupt District operations and affect the recovery and restoration of financial, payroll, and other critical applications. However, District personnel did not annually test their ability to access and run critical applications and processes from an alternate site in the event of a disaster.

In response to our inquiry, District personnel indicated that testing had not occurred due to personnel changes. The lack of annual testing of the IT disaster recovery plan at an alternate site may hinder District efforts to minimize the impact of, and timely recover from, a disaster or disruption of operations.

Recommendation: The District should test the IT disaster recovery plan at an alternate site annually and document the evaluation of the test results.

* * *

6/ NEFEC is a regional, non-profit, educational service agency established to provide cooperative services to 15 small and rural member districts.

* * *

Finding 4: Information Technology Risk Assessment

Management of IT risks is a key part of enterprise IT governance. Incorporating an enterprise perspective into day-to-day governance actions helps entity personnel identify and understand the greatest security risk exposures and determine whether planned controls are appropriate and adequate to secure IT resources from unauthorized disclosure, modification, or destruction. A comprehensive IT risk assessment should consider specific threats and vulnerabilities, and the severity of such threats and vulnerabilities, at the Districtwide, system, and application levels and document the range of risks that District systems and data may be subject to, including those posed by internal and external users. IT risk assessments help support management's decisions in establishing cost-effective measures to mitigate risk and, where appropriate, formally accept residual risk.

In response to our inquiries, District personnel indicated that they had considered external and internal risks; however, due to the small size of the District and employee turnover, documentation was not maintained to evidence conduct of a comprehensive IT risk assessment. The absence of a comprehensive IT risk assessment may lessen the District's assurance that all likely threats and vulnerabilities have been identified, the most significant risks have been addressed, and appropriate decisions have been made regarding which risks to accept and which risks to mitigate through appropriate controls.

Recommendation: The District should conduct a comprehensive IT risk assessment to provide a documented basis for managing IT-related risks.

* * *

PRIOR AUDIT FOLLOW-UP

The District has taken corrective actions for findings included in our report No. 2021-040, except that Finding 2 was also noted in that report as Finding 1.

* * *

OBJECTIVES, SCOPE, AND METHODOLOGY

The Auditor General conducts operational audits of governmental entities to provide the Legislature, Florida's citizens, public entity management, and other stakeholders unbiased, timely, and relevant information for use in promoting government accountability and stewardship and improving government operations.

We conducted this operational audit from April 2023 through October 2023 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

This operational audit focused on selected District processes and administrative activities. For those areas, our audit objectives were to:

* Evaluate management's performance in establishing and maintaining internal controls, including controls designed to prevent and detect fraud, waste, and abuse, and in administering assigned responsibilities in accordance with applicable laws, rules, regulations, contracts, grant agreements, and other guidelines.

* Examine internal controls designed and placed in operation to promote and encourage the achievement of management's control objectives in the categories of compliance, economic and efficient operations, reliability of records and reports, and safeguarding of assets, and identify weaknesses in those controls.

* Determine whether management had taken corrective actions for findings included in our report No. 2021-040.

* Identify statutory and fiscal changes that may be recommended to the Legislature pursuant to Section 11.45(7)(h), Florida Statutes.

This audit was designed to identify, for those areas included within the scope of the audit, weaknesses in management's internal controls significant to our audit objectives; instances of noncompliance with applicable laws, rules, regulations, contracts, grant agreements, and other guidelines; and instances of inefficient or ineffective operational policies, procedures, or practices. The focus of this audit was to identify problems so that they may be corrected in such a way as to improve government accountability and efficiency and the stewardship of management. Professional judgment has been used in determining significance and audit risk and in selecting the particular transactions, legal compliance matters, records, and controls considered.

As described in more detail below, for those programs, activities, and functions included within the scope of our audit, our audit work included, but was not limited to, communicating to management and those charged with governance the scope, objectives, timing, overall methodology, and reporting of our audit; obtaining an understanding of the program, activity, or function; identifying and evaluating internal controls significant to our audit objectives; exercising professional judgment in considering significance and audit risk in the design and execution of the research, interviews, tests, analyses, and other procedures included in the audit methodology; obtaining reasonable assurance of the overall sufficiency and appropriateness of the evidence gathered in support of our audit findings and conclusions; and reporting on the results of the audit as required by governing laws and auditing standards.

Our audit included the selection and examination of transactions and records, as well as events and conditions, occurring during the 2022-23 fiscal year audit period, and selected District actions taken prior and subsequent thereto. Unless otherwise indicated in this report, these records and transactions were not selected with the intent of statistically projecting the results, although we have presented for perspective, where practicable, information concerning relevant population value or size and quantifications relative to the items selected for examination.

An audit by its nature does not include a review of all records and actions of management, staff, and vendors, and as a consequence, cannot be relied upon to identify all instances of noncompliance, fraud, waste, abuse, or inefficiency.

In conducting our audit, we:

* Reviewed applicable laws, rules, Board policies, District procedures, and other guidelines, and interviewed District personnel to obtain an understanding of applicable processes and administrative activities and the related requirements.

* Reviewed Board information technology (IT) policies and District procedures to determine whether the policies and procedures addressed certain important IT control functions, such as security, logging and monitoring, and disaster recovery.

* Evaluated District procedures for maintaining and reviewing employee access to IT data and resources. We examined selected user access privileges to District enterprise resource planning (ERP) system finance and human resources (HR) applications to determine the appropriateness and necessity of the access privileges based on employee job duties and user account functions and whether the access privileges prevented the performance of incompatible duties. Specifically, we examined:

* 11 of the 29 user accounts with update access privileges to selected critical ERP system finance application functions.

* 6 of the 19 users accounts with update access privileges to selected critical ERP system HR application functions.

* The 2 accounts with systemwide access to the District application systems, datasets, and programs for the finance and HR applications.

* The 2 accounts with security access to the District application systems, datasets, and programs for the student application.

* Evaluated District procedures to prohibit former employee access to electronic data files. We reviewed selected user access privileges for 30 of the 71 employees who separated from District employment during the audit period to determine whether the access privileges were timely deactivated.

* Determined whether the District had a comprehensive IT disaster recovery plan in place that was designed properly, operating effectively, and had been recently tested.

* Examined selected application security settings to determine whether authentication controls were configured and enforced in accordance with IT best practices.

* Determined whether the District had established a comprehensive IT risk assessment to document the District's risk management and assessment processes and security controls intended to protect the confidentiality, integrity, and availability of data and IT resources.

* Inquired whether the District obtained and reviewed service organization controls (SOC) 1 Type 2 reports as described in Statement on Standards for Attestation Engagements No. 18, Attestation Standards: Clarification and Recodification.

* Inquired whether the District had expenditures or entered into any contracts under the authority granted by a state of emergency declared or renewed during the audit.

* Examined the District Web site to determine whether the 2022-23 fiscal year proposed, tentative, and official budgets were prominently posted pursuant to Section 1011.035(2), Florida Statutes. In addition, we determined whether the District Web site contained, for each public school within the District and for the District, the required graphical representations of summary financial efficiency data and fiscal trend information for the previous 3 years, and a link to the Web-based fiscal transparency tool developed by the Florida Department of Education (FDOE).

* From the expenditures totaling $288,811 and zero transfers for the period July 1, 2022, through April 17, 2023, from nonvoted capital outlay tax levy proceeds and other restricted capital project funds, examined documentation supporting selected high dollar expenditures totaling $280,598 to determine District compliance with the restrictions imposed on the use of these resources, such as compliance with Section 1011.71(2), Florida Statutes.

* Examined District records to determine whether the Board had adopted appropriate mental health awareness policies and the District had implemented procedures to promote the health, safety, and welfare of students and ensure compliance with Section 1012.584, Florida Statutes; Section 1011.62(13), Florida Statutes (2022); and State Board of Education (SBE) Rule 6A-1.094124, Florida Administrative Code.

* Examined District records to determine whether the Board had adopted appropriate school safety policies and the District implemented procedures to ensure the health, safety, and welfare of students and compliance with Sections 1006.07 and 1006.12, Florida Statutes; and Section 1011.62(12), Florida Statutes (2022).

* Examined copies of the most recent annual fire safety, casualty safety, and sanitation inspection reports to determine whether the District provided for periodic inspections of educational and ancillary facilities and timely action was taken to correct previously cited deficiencies.

* From the population of $91,799 total workforce education program funds expenditures for the period July 2022 through May 2023, examined selected expenditures totaling $86,266 to determine whether the District used the funds for authorized purposes (i.e., not used to support K-12 programs or District K-12 administrative costs).

* Examined District records supporting 1,165 reported contact hours for 22 selected students from the population of 3,045 contact hours reported for 50 adult general education instructional students during the Fall 2022 Semester to determine whether the District reported the instructional contact hours in accordance with SBE Rule 6A-10.0381, Florida Administrative Code.

* From the population of $119,894 daycare fees collected from July 1, 2022, through May 23, 2023, examined supporting documentation for 30 selected receipts totaling $7,206 to determine whether internal controls over fee assessments and collections were properly designed and operating effectively for the District Prekindergarten Extended Day Program.

* From the population of 148 diplomas issued during the audit period, examined documentation for 13 selected diploma recipients to determine whether the recipients met the applicable graduation requirements.

* Examined District records for the audit period supporting the teacher salary increase allocation received pursuant to Chapter 2022-156, Laws of Florida, Specific Appropriation 86, totaling $569,372 and records supporting related payments totaling the same amount made to 189 instructional personnel to determine whether the District submitted required reports (salary distribution plan and expenditure report) to the FDOE and used the allocation in compliance with Section 1011.62(14), Florida Statutes (2022).

* Evaluated Board policies and District procedures addressing the ethical conduct of school personnel, including reporting responsibilities related to employee misconduct which affects the health, safety, or welfare of a student, and the investigation responsibilities for all reports of alleged misconduct to determine whether those policies and procedures were effective and sufficient to ensure compliance with Section 1001.42(6) and (7)(b)3., Florida Statutes, and SBE Rule 6A-10.084, Florida Administrative Code.

* Examined Board policies, District procedures, and related records supporting school volunteers for the audit period to determine whether the District searched prospective volunteers' names against the Dru Sjodin National Sexual Offender Public Web site maintained by the United States Department of Justice, as required by Section 943.04351, Florida Statutes.

* Evaluated Board policies and District procedures for periodic reconciliations of health insurance provider billings to District payroll records to determine whether Board contributions for health insurance premiums are for eligible participants and contributions and employee-paid premiums are consistent with the Board-approved amounts.

* From the population of payments for contracted services totaling $1.3 million during the period July 1, 2022, through April 17, 2023, examined supporting documentation, including applicable contract documents, for 14 selected payments totaling $273,234 to determine whether:

* The District complied with applicable competitive selection requirements (e.g., SBE Rule 6A-1.012, Florida Administrative Code).

* The contracts clearly specified deliverables, time frames, documentation requirements, and compensation.

* District records evidenced that services were satisfactorily received and conformed to contract terms before payment.

* The payments complied with contract provisions.

* From the compensation payments totaling $16.3 million to 505 employees during the period July 1, 2022, through May 11, 2023, examined District records supporting compensation payments totaling $68,887 to 30 selected employees to determine whether the rate of pay complied with the Board-approved salary schedule and whether supervisory personnel reviewed and approved employee reports of time worked.

* Determined whether non-compensation expenditures were reasonable, correctly recorded, adequately documented, for a valid District purpose, properly authorized and approved, and in compliance with applicable State laws, SBE rules, contract terms and Board policies; and applicable vendors were properly selected. Specifically, from the population of non-compensation expenditures totaling $5.8 million for the period July 2022 through May 2023, we examined documentation supporting 30 payments for general expenditures totaling $36,555.

* For the one significant construction project with a contract totaling $1.3 million,/7 examined related documentation to determine whether the contractor was properly selected, and the plans and specifications were properly reviewed and approved by the Board in compliance with Board policies, District procedures, and applicable provisions of State law.

* Reviewed Board policies and District procedures related to identifying potential conflicts of interest. For the 5 District officials, the Superintendent, and the Director of Finance we reviewed Department of State, Division of Corporations, records; statements of financial interests; and District records to identify any relationships that represented a potential conflict of interest with vendors used by the District.

* Communicated on an interim basis with applicable officials to ensure the timely resolution of issues involving controls and noncompliance.

* Performed various other auditing procedures, including analytical procedures, as necessary, to accomplish the objectives of the audit.

* Prepared and submitted for management response the findings and recommendations that are included in this report and which describe the matters requiring corrective actions. Management's response is included in this report under the heading MANAGEMENT'S RESPONSE.

* * *

7/ The District had not incurred any project-related expenditures as of June 30, 2023.

* * *

AUTHORITY

Section 11.45, Florida Statutes, requires that the Auditor General conduct an operational audit of each school district on a periodic basis. Pursuant to the provisions of Section 11.45, Florida Statutes, I have directed that this report be prepared to present the results of our operational audit.

Sherrill F. Norman, CPA

Auditor General

* * *

The report is posted at https://flauditor.gov/pages/pdf_files/2024-095.pdf.