Auditor of Public Accounts Recommendations for Kentucky School Districts
The Auditor of Public Accounts, as a result of recent examinations of various issues in many Kentucky school districts, makes the following recommendations to assist districts and their boards in designing and implementing effective policies and procedures. These recommendations should aid Board members, superintendents, and district management in providing significant financial oversight and strong internal controls to maximize the fiscal operations of the district. The following recommendations should be evaluated and considered for implementation, as needed, to address the district’s operational needs.Section I: Recommendations 1-33 for School District Boards (Board) Address Oversight, Policies, and Procedures.1
We recommend the Board consider establishing a committee structure that may include finance/budget, policy, audit, technology, or other committees, as necessary. Committees would assist the Board in strengthening its oversight of these important areas.2
We recommend the Board have annual training workshops for Board members to provide a better understanding and ability to analyze district budgets and other financial information. These workshops may be presented by the district’s finance/budget staff, trainers, an external auditor, or others with an appropriate skill set and specific knowledge of school district budgets and finances.3
We recommend the Board, having a thorough understanding of the budget, provide strategic direction and financial objectives to the district’s budget staff for developing a final budget. We also recommend the Board require a budget to actual report be provided to the Board monthly to monitor the approved budget so that variances are identified and discussed.4
The Board should approve only routine items on a consent agenda. Non-routine items should be individually discussed and approved to ensure supporting documentation for expenditures is reviewed. The Board's discussion of expenditures should be documented in the Board meeting minutes. For example, we recommend the Board, Board Chair, or a designated Board committee, routinely review detailed Board attorney billing statements prior to the Board approving the payment of the invoice. The results of this review should be documented in the meeting minutes.5
The Board should inquire whether the district periodically performs a review of adopted written procedures, processes, and guidelines to ensure they are current and meet the requirements of state law, Board policies, and accounting principles. As part of this review, we also recommend the Board encourage district management to review whether unwritten practices are performed in the district that should be formalized as a written policy, procedure, or guideline. Once written, each item should be numbered and referenced back to any applicable state law, Board policy, or other authority. All written policies, procedures, and guidelines should be made readily available to all district staff in a central location.6
We recommend the Board develop and distribute to all staff a policy detailing the process for district staff to submit concerns to the Board related to questionable activities impacting the district, including actions of the superintendent. This policy should allow for employees to report issues to the Board in a manner that will not jeopardize their employment.7
The Board should adopt a comprehensive policy to address nepotism involving the employment and supervision of relatives in compliance with KRS 160.380. For instances in which the employment of relatives is allowed, this policy should address the supervision and other aspects of a relative’s employment to prevent the appearance of a conflict. For example, the policy should contain a provision that prevents an employee from directly supervising or performing evaluations of a family member.8
We recommend the Board adopt a policy that the Superintendent report all personnel actions to the Board, as required by KRS 160.390.9
The Board policies should address the payment of continuing education for employees, including the Superintendent, to ensure that the district is able to retain an employee for a specified period of time after the employee completes the requested education. If educational benefits are provided, a policy should contain a provision to address retention requirements, contingent on either the Board or Superintendent’s election, whichever is appropriate, to continue the person’s employment, and an associated repayment schedule if the employee resigns prior to the employee meeting the required retention period.10
Any arrangements extending an employee’s number of work days to be paid beyond their original contract should be authorized by the Board prior to the first day the additional work begins, with no advance payments for additional work days allowed. In addition, if the employee’s work days are extended, their contract should be modified, approved, and signed by the appropriate parties.11
The Board should take official action during a Board meeting to approve the Superintendent’s contract itemizing compensation and benefits to be provided by the district. The contract should include, either in the body or in an attachment incorporated into the contract, the actual full compensation and benefits provided to the Superintendent. All contract documents for the employment of the Superintendent should be fully discussed by the whole Board during official Board meetings in accordance with Kentucky’s Open Meetings law, KRS 61.800 to 61.850. The final vote and Board action should take place in an open and public meeting and be documented in the Board meeting minutes. The Board Chair should not sign the contract until it is approved by the Board.12
A maximum number of accrued vacation and sick days allowed should be specified in the Superintendent’s contract. The method by which the unused vacation days will be valued when the Superintendent’s employment is terminated should be documented in the contract. To monitor this contract term, the Board should develop a written policy requiring the Superintendent to notify the full Board, Board Chair, or a designated Board committee when vacation or sick leave is taken.13
The Board’s attorney should review the Superintendent’s proposed contract prior to it being approved by the Board to ensure the contract clearly represents the salary, benefits, or other terms and conditions associated with the Superintendent’s employment. Those benefits should be clearly stated, not be redundant in nature, and provide clear criteria as to how the Board will monitor the benefits. The Board should ensure current and future employment contracts properly define all intended benefits.14
The Board should ensure employment contracts, including the Superintendent’s, are written and signed prior to the contract’s effective date, include the executed contract or the terms of the contract in the minutes of the Board meetings, and consult with the IRS or the district’s independent Certified Public Account to determine whether the retirement contribution paid on behalf of the superintendent, when applicable, is considered taxable income.15
The Board should maintain copies of the Superintendent’s contract for an annual review by all Board members. In addition, a copy of the contract should be placed in the Superintendent’s personnel file and provided to the Board’s attorney.16
The full Board, Board Chair, or a designated Board committee should be made responsible for routinely reviewing the Superintendent’s benefits and the costs associated with those benefits. This review should ensure the district only compensates the Superintendent for the amounts specified in the contract, including base salary and fringe benefits such as professional dues.17
When considering a Superintendent contract extension, the Board should review the current contract and determine the cost of each benefit. The Board should inquire of the finance officer the actual benefit costs and whether other benefits, and related costs, are being provided that are not included in the current employment contract. If the Board decides to extend the employment contract of the Superintendent, the contract provisions should be clearly presented including salary, benefits, or other terms or conditions of employment. All benefits provided should be included in the Superintendent’s employment contract. The Board should establish a policy that all authorized benefits provided to the Superintendent be directly communicated by the Board in writing to the district’s Central Office staff.18
The full Board, Board Chair, or a designated Board committee should review the Superintendent’s credit card purchases to ensure the transactions are reasonable in amount, necessary, and properly supported by receipts or other appropriate documentation. Due to credit card transactions not being readily transparent, it is imperative the Board review these transactions to be aware of all expenses related to the Superintendent. This will strengthen internal controls and mitigate the risk of retaliation if a subordinate employee is responsible for reviewing and potentially questioning the activity of the Superintendent.19
All reimbursement requests submitted by the Superintendent to the district should be provided to the full Board, Board Chair, or a designated Board committee. The Board should require the District’s financial officer to conduct an initial review of the Superintendent’s reimbursement request, sign the request to document the review, and submit any concerns or issues to the Board before approval of the reimbursement request is made. The full Board, Board Chair, or a designated Board committee should review and document the approval or other action taken regarding the Superintendent’s requests for reimbursement and ensure the transactions are reasonable, necessary, and compliant with the contract.20
The Board should establish an annual work calendar for the Superintendent that specifies, prior to the beginning of the school year, the non-work days associated with the Superintendent’s contract. Any modification to this schedule should be formally presented to the Board for approval and the Board’s action should be documented in the Board meeting minutes.21
We recommend the Board adopt the Kentucky Model Procurement Code and follow KRS 45A.385 for small purchases. This policy should require procurements in excess of $20,000 to be competitively bid or otherwise competitively procured to ensure the best and most economical selection is made. The policy should not allow split or divided purchases and projects to circumvent the bidding requirements for procurements in excess of $20,000.22
The Board should develop a policy to require procurement agreements be documented in a formal, written contract and not rely on implied or verbal agreements.23
The Board should determine the threshold amount for which a contract requires Board approval. The Board should establish a policy to limit the number of contract renewals allowed and the length of time a contract may be extended.24
For multi-year contracts, the Board should establish a maximum reasonable number of contract extensions allowable before a competitive procurement is again required. This will assist district management in continuing to evaluate the best and most economical selection for the district. Further, though not required by the Model Procurement Code, we recommend the Board determine whether a competitive procurement should be used for contracts that were historically extended without evaluating other vendors and costs for services. Examples of these services are banking, external auditing, and attorney services.25
To reduce the risk of unallowable purchases, we recommend the Board determine whether the use of credit cards by the district’s schools and departments is necessary. If the Board decides that credit cards are needed, we recommend that the Board consider the use of a procurement card that can limit the types or categories of purchases and provide other transactional controls.26
If credit cards continue to be used by the district, we recommend the Board establish a specific credit card policy requiring, at a minimum
- card user agreements to be read and signed before the employee is permitted to use a credit card;
- use of the card only for business related purposes;
- internal controls to limit access to unauthorized users;
- supporting documentation for all credit card expenditures, which should include a detailed invoice or other appropriate documentation, a business purpose, and name of the individuals involved in the purchase; and
- a statement that credit card purchases not supported by detailed, itemized receipts or other appropriate documentation must be repaid by the employee within a reasonable period.
For training, conferences, or other travel expenses, we recommend the Board require these costs be directly billed to the district or incurred by the employee for reimbursement. Requested reimbursement should be made on a standard reimbursement form that requires explanations for the travel and requires supporting documentation to be reviewed and approved.28
Related to conferences and training, we recommend the Board adopt a policy requiring specific supporting documentation for all reimbursement requests. This documentation should include the identity of the organization or agency sponsoring the event, a brief description of the business purpose, and an original itinerary or registration materials related to the event.29
The Board should pre-approve all out-of-state travel for the Superintendent, other district employees, and Board members, including travel for professional development. Budgeted or known travel costs for the trip should be specifically pre-approved by the Board in a public meeting. To ensure compliance and transparency, the Board should receive and review a detailed report of the out- of-state travel and reimbursement expenses incurred.30
We recommend the Board adopt the Kentucky State Government per diem reimbursement rates and travel regulations, as specified by 200 KAR 2:006. This provides continuity among school districts for travel expenses and prevents excessive or unnecessary spending for food-related purchases by paying the specified per diem meal rate based on the actual travel time and eliminates the need to review receipts for food.31
The Board should create a written policy regarding the use of district fleet vehicles. The policy should address whether vehicles can be permanently assigned to an employee, be assigned to take home, or used solely during the work day and remain on district property after hours. The policy should provide specific criteria for making individual vehicle assignments and identify any temporary exceptions to assignment criteria. The policy should require documentation be maintained to support permanent or take-home vehicle assignments. The policy should also address any personal use of a district vehicle. In addition, the policy should address vehicle maintenance and any requirements to use the district’s transportation department to maintain vehicles, if applicable. Finally, the district should place decals on all vehicles identifying them as district property.32
The Board should develop a policy for the use of a fleet fuel card or other credit cards for gas purchases. The policy should restrict the use of the card for only fuel purchases related to business purposes. The policy should require employees to read and sign a card user agreement before the employee is permitted to use a fuel or credit card.33
We recommend the Board policy regarding fuel purchases should require the employee’s initials, the vehicle or license plate number, and the odometer reading to be recorded on the fuel receipt at the time the fuel is purchased. When traveling out-of-district, the purpose of the travel should also be documented. The Board policy should also include a timeframe for employees to turn in receipts for gas card purchases and specify the disciplinary action that will be taken if the required documentation is not provided.Section II: Recommendations 34-38 for Superintendents to Address Policies or Procedures Regarding Expenditures, Travel, Leave, and Employee Position Descriptions.34
The district Superintendent should develop, in conjunction with other district management, specific procedures to ensure expenses are appropriate, reasonable, and necessary for the district’s operation. Any policy or procedure revisions should be made in writing, dated, and distributed to the appropriate personnel prior to it going into effect. We recommend district procedures contain the following elements:
- consider the necessity and reasonableness of each purchase, including the potential for the purchase to be personal, excessive, or unnecessary.
- require complete supporting documentation prior to the approval of any payment;
- prohibit district funds from being used for personal gifts to district employees;
- prohibit the payment of any vendor invoice that appears to be altered until an original is provided;
- require specific monitoring controls over the expenditure process related to federal grant funds to ensure compliance with grant requirements and prevent the use of grant funds for unauthorized or inappropriate expenses;
- determine the types of expenditures that should be presented to the Board for preapproval and the types that may be authorized and approved by the Superintendent without Board approval;
- delineate the lines of responsibility for the authorization and approval of expenditures throughout the district, as well as the dollar thresholds for small purchases versus purchases that require a competitive procurement process; and,
- prohibit purchases with vendors that create a conflict of interest with district staff or Board members.
The district Superintendent should develop, in conjunction with other district management, specific procedures to ensure that travel and other reimbursable expenses that are incurred support the district’s operations and objectives. Unnecessary expenses incurred based on personal preference should be considered a personal expense of the individual and not an expense of the district. To ensure that expenses are appropriate, reasonable, and necessary, we recommend that district policies and procedures contain the following elements related to travel expenses and reimbursement requests:
- Provide definitions and examples of allowable and unallowable expense reimbursements.
- List the required documentation needed to receive travel expense reimbursements and other reimbursements. This requirement should include a statement in the policy that expenses not having detailed, itemized receipts will not be paid by the district.
- Specify a time period in which travel and other reimbursement requests must be submitted for review and approval. This requirement should be supported by a statement in the policy that reimbursement requests made after this period will not be paid by the district. District reimbursements should be paid timely so that the district’s financial statements will represent the actual expenditures for that fiscal year.
- Prohibit advance payments for travel to employees, as interpreted in OAG 80-395 related to KRS 160.410.
- Specify when prior approval for travel is required and what information must be submitted to request approval.
- Identify the position(s) of those responsible for reviewing the travel vouchers and reimbursement requests, such as the principal, finance officer, or another management designee. When applicable, this review should include a comparison of the actual costs incurred by district staff to pre-approved costs. The Superintendent should ensure the position(s) is given the authority to appropriately question or deny reimbursement requests if they do not comply with established district policy.
For conferences, trainings, and external meetings, the Superintendent should provide to the Board a copy of the itinerary, meeting minutes, or other materials provided by the host organization for which a reimbursement for mileage or other travel expenses is requested.37
The Superintendent should notify the full Board, Board Chair, or a designated Board committee when taking annual, sick, professional, or other leave for a scheduled contract work-day. The notification should be documented in writing.38
We recommend the district Superintendent or designee review the documented position descriptions for district personnel to ensure they are appropriate and reflect the employee’s actual job duties and responsibilities. Modifications to position descriptions should only be made, in conjunction with other district management, as fundamental job duties and responsibilities change. For positions involving financial activities, this review should ensure segregation of duties and proper oversight exists. In a situation where segregation of duties is difficult due to staff size, we recommend the district Superintendent or designee ensure appropriate position descriptions include the responsibility to provide additional oversight procedures to create a system of checks and balances.Section III: Recommendations 39-74 for School District Management (Management) to Address Various Operational Areas Including Personnel, Procurement, Travel, and Information Technology.39
We recommend district management provide training to all employees commensurate with their job duties and responsibilities. Examples may include the following:
- Employees responsible for district accounting or other financial duties should receive training to provide them with sufficient knowledge of applicable district financial related policies and procedures.
- Employees responsible for making purchases should receive training on the district’s procurement policies. This training should focus on the procurement process, including required approvals, the documentation required to support purchases, and how the documentation should be maintained. We further recommend the district require authorized purchasers to sign a statement attesting that they understand the district’s procurement policies and their responsibility to comply.
- Employees responsible for time keeping should receive training to ensure leave for all employees, including the superintendent, is accurately accounted for. The failure to adequately account for leave could have a significant financial impact as districts are required to pay for a percentage of unused sick leave at the end of the employee’s tenure.
We recommend district management develop and formalize an information technology (IT) security awareness program to reinforce employee responsibilities related to IT security and their role in securing student and network data. In coordination with this program, IT policies and procedures should be periodically communicated to staff. We also recommend the district require all central office staff, teachers, and management have security awareness training on an annual basis. The district should monitor this program to ensure all users are in compliance.41
We recommend district management evaluate whether candidates are eligible, based on all applicable criteria, for posted employment positions prior to selecting candidates for interview or further consideration. This process will prevent the inappropriate pursuit of an ineligible candidate and eliminate the need to questionably alter an originally posted position description.42
We recommend the district’s itinerant staff be provided with specific, written job expectations and required duties. These employees should document work activities performed on a daily basis and use the school’s sign-in logs to support those activities. If hired through a specific grant program, the activities performed should be documented and monitored to ensure compliance with applicable program requirements.43
District management should ensure all full-time and substitute employees work the allotted number of hours in accordance with the Board-approved salary schedule.44
District management should implement adequate internal controls to ensure substitute teacher payments are accurate because of higher manual activity involved in these payroll payments. These payments should be supported by timesheets or another form that provides the date, the name of the substitute, the person for which the substitute is working, and the school or location worked. Due to a higher risk of error and potential for creation of ghost employees, specific controls are needed for these types of payments.45
We recommend district management report to the Board, at least quarterly, the current amount of leave and the cumulative associated value of that leave for all staff members, including the Superintendent. To improve transparency and fiscal awareness, the future cost of payment for accumulated sick or annual leave should be considered to include as a component of the district budgeting process and as a line item within the annual financial statement audit.46
We recommend district management develop a procedure, subject to Board approval, requiring all employees report the actual amount of leave time used regardless of any exemption status. All employees, including salaried-exempt staff, should account for their time through the use of timesheets or other designated district reports documenting the actual number of hours worked and leave taken.47
District designated staff should only implement changes to the Superintendent’s salary or benefits after complete, written, and signed documentation is received from the Board. District staff should properly account for any taxable benefits that should be reported by the employee.48
District management should include the Superintendent’s professional leave in the standard monthly reporting to the Board, including the dates of the leave, the location of the leave, and the associated costs anticipated and funding source for the leave as is done for all other district personnel.49
District management should ensure that procurement contracts entered into by the district specify the services required to be performed and the amount to be paid. Specific language should exist in the contract requiring detailed invoices from a contractor that document a description of the work performed, the number of hours associated with each work step, and the rate charged. If the contract allows for the contractor to receive a retainer and an hourly fee, the contract should specify the services provided for the retainer paid and the services that are subject to an additional hourly rate. In addition, district management should require submission of supporting documentation, including original receipts, prior to reimbursement for contractors who contractually receive reimbursement for actual expenses. Further, we recommend District policy prohibit gratuities, gifts, conflict of interests, and other issues involving procurement as specified in KRS 45A.455.50
District management should be required to monitor the contractor’s performance and review applicable invoices to ensure compliance with the contract. Any discrepancies identified should be documented and discussed with the contractor. This monitoring process should also ensure that contract services do not overlap and that contract extensions are approved before the contractor continues to provide services or goods to the district.51
District management should maintain a record of all contracts to facilitate review and monitoring activities. For each contract, this record should include the name of the department responsible for monitoring the contract, date of the contract, contract procurement method, period of the contract, contract amount, actual contract payments to date, and whether the contract is new, extended, or a renewal. To provide greater public transparency, district management should place the name of contractors, contract payments, and all other relevant public data on their district’s website.52
District management should provide an annual report to the Board of all vendor contract renewals and extensions. This report should specify the date of the original award, the fees associated with the award, and the number of renewals previously granted to the vendor.53
District management should develop a procedure requiring teachers to be informed of the individual maximum amount in the budget available for reimbursement of personal funds used to purchase necessary supplies for classrooms and students.54
If the Board adopts the per diem method for meal reimbursement as previously suggested, district management should disallow other methods to incur meal expenses, such as the use of district credit cards or reimbursing the employee based on an actual receipt. If district management allows exceptions for specific instances, each exception should be documented and monitored to ensure that duplicate reimbursements have not occurred.55
District management should maintain a list of employees attending conferences and training. To be eligible to attend conferences and training having an associated cost to the district, the employee should be a full-time district employee and not an interim employee whose training may not benefit the long term needs of the district. Due to budget constraints, district management should consider sending a limited number of employees to conferences or training and encourage the development of effective in-house training that will extend the benefit of this external training to other staff.56
District management should inform appropriate payroll staff of employee take- home vehicle assignments so that the taxable benefit is properly reported on the employee’s W-2 tax documents. Any applicable vehicle records should be provided to the payroll department by the employee to properly account for the benefit. District management should take disciplinary action if records are not maintained and provided to the payroll department.57
District management should require maintenance/transportation departments to maintain an accurate, up-to-date inventory database to allow for regular reviews to reduce unneeded or duplicate purchases and prevent inventory loss due to theft. District management should prohibit the use of the district’s tools, parts, supplies, and other resources for the maintenance and repair of personal vehicles or other property.58
We recommend that all written district IT policies and procedures reflect current processes and procedures. These should be detailed, complete, and approved by management. We recommend district management formally establish a schedule for staff to ensure policies are consistently reviewed in a routine and timely manner. We further recommend that a documented process be developed for recommendations of new or updated policies to be reviewed, finalized, and implemented within a determined period. Examples of district IT policies and procedures include:
- Acceptable Computer, Internet, and Email Use Policy;
- Data Classification and Encryption Policy;
- Incident Handling, Remediation, and Notification Policy;
- Anti-virus Policy;
- IT Purchasing Policy;
- Password Policy;
- Sanitization of IT Equipment and Electronic Media Policy;
- Logical Security for Local Area Network (LAN) Policy;
- Physical Security Policy;
- Wireless Network Security Policy;
- Program Change Control Policy; and
- Disaster Recovery Plan (DRP)/Business Continuity Plan (BCP).
District management should ensure updated policies and procedures are maintained in a central location and made available to all district staff. If the policy and procedure documents are published on the district’s website, district management should ensure only the most current versions of the documents are available. Training should be provided to staff, as needed, to ensure compliance with established policies.60
District management should ensure either internal staff or the application vendor has properly configured IT devices to limit vulnerabilities that could be exploited. We recommend district management ensure procedures are consistently followed in order to update software timely to reduce the risk of known vulnerability exploits. If software or hardware is outdated, but must be retained due to budgetary or other system requirements, a process should be established to document these instances, the reasoning behind this determination, and management’s approval.61
We recommend district management identify all services running on their critical servers housing student information or other personally identifiable information (PII), either of which should be strictly secured. The district should ensure that once identified, the sensitive or confidential data is encrypted.62
District management should have a process in place to identify incidents where breaches of district systems and data have occurred. This process should include a remediation plan and, if the breach is related to PII, a formal process for notifying the affected individuals, credit bureaus, and appropriate law enforcement in compliance with KRS 61.931 to 61.934.63
We recommend district management develop a process for sanitizing and disposing of IT equipment in their central office and individual schools. All IT equipment, whether housed at the schools or in the central office, should be held to the same policy standards. This process should be thoroughly documented and should be distributed to all appropriate personnel who are responsible for this function. All IT equipment, regardless of its origin, should be either destroyed or sanitized prior to disposal, and documentation of these actions and the disposal method should be developed and retained using standardized forms. Completed forms should be maintained in a format that can be readily accessed.64
We recommend district management develop a report to communicate sanitizations and disposals by the schools to the central office. Any items that are removed from the district’s fixed asset listing should be accounted for and included in the report. The fixed asset listing within Municipal Information System (MUNIS) should be updated to show the sanitization and disposal methods and dates.65
We recommend district management develop a formal written procedure detailing the process for all employees, including central office staff, to request new access, change access, or remove access to applications, including, but not limited to, LAN; MUNIS; and other district-specific applications. Further, district management should ensure only technical and support staff are granted local administrator access to network resources in order to help limit the risk of accidental or intentional introduction of viruses or loss of programs or data. This procedure should be consistently applied and include the development of a security form itemizing access rights and approvals for all district applications. Computer security forms should be maintained in a format that is readily available.66
We recommend district management perform periodic review of the user accounts and security role groupings established within these applications and production servers to ensure they have a business purpose. If accounts or security role groupings are not required, they should be disabled immediately. It is not good business practice to establish and use accounts that can be used by a group of individuals since it cannot be determined which user performed account activity. If a group account is required, then management should document the necessity and should monitor activity performed by the group account by reviewing on a routine basis the transactions processed to ensure they are appropriate. Further, management should restrict access of outside vendors to the district network. If access is necessary, access should be provided for a defined period of time and actions taken during this period should be monitored by IT staff. Any necessary exemptions should be approved and documented.67
We recommend district management work with KDE to develop and formalize a password policy that includes requirements for:
- a minimum length of at least eight characters;
- complexity that includes a number, capital letters, special characters, or ALT characters;
- expiration period of not more than 120 days;
- history of at least six previous passwords that cannot be reused; and
- the lockout of a user’s account after no more than three unsuccessful attempts.
Districts may consider implementing more restrictive password policies than described above. 68
We recommend district management apply the password policy to all applications used by the district. If there are business reasons for variations from the documented password policy, district staff should document these reasons in detail and management should provide an approval for the exception. Any exceptions to the password policy should be retained.69
We recommend district management implement a standardized process to ensure password audits are performed on a periodic basis. The identification of weak passwords should be shared with the user who is requested to create a new and stronger password. Results of these password audits should be maintained.70
We recommend district management ensure that all new IT devices are consistently configured based on internally developed or KDE directed base- line configurations. Any variations from the base-line configurations should be documented showing the justification for the variation and management’s authorization. Broadcasting of the services and associated versions running on devices should be restricted unless it cannot be configured otherwise. Further, we recommend district management perform periodic reviews of all devices to determine whether configuration changes have occurred. Any changes should be noted and validated.71
We recommend district management take the necessary actions to ensure the services and open ports on their devices have a specific business purpose. If the service is necessary, it should be reviewed to ensure it is properly authorized, licensed, and configured as well as adequately secured. Any unnecessary services should be disabled or the associated ports should be closed.72
We recommend district management develop and finalize a DRP/BCP. A DRP/BCP should include, but not be limited to, the following:
- identification of key district staff involved in the DRP/BCP and contact information for these personnel;
- identification of critical systems and data;
- designation of recovery time for each critical system (24 hours, 3 days, 1 week, etc.);
- identification of off-site facilities to be used in emergencies, including off-site personnel and contact information;
- identification of contractors with whom agreements have been made for obtaining emergency equipment and software replacement;
- documentation of recovery procedures for critical systems and data;
- documentation of alternate business procedures to be followed in case of extended disruption of IT systems and/or the inability to use normal facilities; and
- identification of other DRP or BCP plans that are system or process specific, such as the one with the MUNIS vendor.
District management should distribute the DRP/BCP to key staff responsible for this process and provide training in their specific responsibilities. These plans and procedures should be updated regularly as staff, systems, and data change.73
We recommend district management develop, document, and test written backup procedures. Backup procedures should include, but not be limited to, the following:
- data to be backed up along with logical locations;
- procedures to create backup copies;
- frequency of backups and number of backup versions to be maintained;
- on-site and off-site storage locations and contact personnel and numbers;
- schedule of moving backups off-site;
- retention periods for critical data; and
- key personnel responsible for backup procedures.
District management should distribute the backup procedures to key staff responsible for this process and provide training in their specific responsibilities. These plans and procedures should be updated regularly as staff, systems, and data change. District management should regularly test the DRP/BCP and backup procedures to ensure data can be recovered and systems resume functionality in the established timeframe. Documentation of the results of these tests should be retained and available.74
We recommend district management review the applicable record retention schedules established by the Kentucky Department of Libraries and Archives. District management should ensure that all aspects of the applicable record retention schedules are addressed in the overarching policies of the district. Of specific note, districts should ensure policies address the retention requirements for all types of official or business communication and other records. District management should ensure that users are aware of their responsibility to comply with this district policy.Section IV: Recommendation 75 for Site Based Decision Making Councils Regarding Activity Fund Policies and Procedures.75
To facilitate compliance with the Kentucky Department of Education’s (KDE) Accounting Procedures for Kentucky School Activity Funds, we recommend Site Based Decision Making Councils develop school specific policies and procedures to oversee activity funds. These policies and procedures should be designed to ensure financial transactions of the activity funds are properly accounted for, reported, and used for the benefit of the students. We also recommend that the Site Based Decision Making Council inform all external booster organizations of the requirements of activity accounts according to KDE’s Accounting Procedures for Kentucky School Activity Funds, as well as any school specific policies and procedures developed.