The New York State comptroller’s office last week released an audit that confirms weaknesses in the way Westhampton Beach Village stores and safeguards its financial records, and other sensitive electronic documents, creating the opportunity for potential misuse.
The auditors examined the village’s internal controls from June 1, 2011, to April 30, 2013, and found that some village employees unnecessarily had administrative rights to computer accounts. They also determined that Village Clerk/Treasurer Elizabeth Lindtvit, who took over the position in May from Rebecca Molinaro, had retained administrative rights to the village’s financial software, giving her—or whoever held that position—the ability to potentially modify data files and correct errors without notifying others.
The audit, which was released on September 5, notes that the village clerk has the ability to “control and use all aspects of the financial software applications, including creating a new user, updating the user access rights, and performing other administrative functions including management overrides. With these abilities, she could create fictitious users to misappropriate Village funds.”
The audit, however, did not state any specific instances when any such misuse might have occurred.
The 13-page document also notes that village officials were not generating or reviewing audit logs that were available to them through their financial software. The Board of Trustees also has not developed a disaster recovery plan that could prevent the loss of vital data if the records are destroyed during a flood or storm, according to the document.
Those weaknesses, the audit states, subject village data to “increased risk of corruption, loss or misuse.”
In January, the comptroller’s office conducted a risk assessment of the village’s finances after a payroll error committed by Ms. Molinaro in the 2011-12 fiscal year, and which carried over to the early part of the 2012-13 fiscal year, resulted in the overpayment approximately $22,000 to village employees. At the time, the state auditors concluded that the village’s finances were sound and did not warrant further examination, though the assessment shed light on the weaknesses in its information technology controls, triggering an audit of that area.
Brian Butry, a spokesman for the state comptroller’s office, said the risk assessment and information technology audit were part of the normal oversight process. He said he did not believe that the auditors uncovered any misuse of data as a result of the weaknesses in security.
The audit also lists recommendations for addressing the issues, such as establishing a policy to ensure that employees are properly logged in and only accessing data pertaining to their jobs, restricting administrative rights of village employees and creating a disaster recovery plan for the data. In a letter attached to the audit, and dated August 21, Mayor Conrad Teller said the village had already begun implementing some of the recommendations.
The audit notes that the Village Board is responsible for initiating and sending a corrective action plan that addresses the findings to the comptroller’s office within 90 days.
“The majority of the changes have been corrected,” Mr. Teller said last Thursday afternoon, noting that village officials had already restricted Ms. Lindtvit’s administrative rights so she cannot create user accounts.
After last Thursday night’s board meeting, the trustees said the results of the IT audit were expected, and echoed what the mayor had stated earlier, explaining that many of the recommendations had already been implemented.
The mayor added that the audit’s findings were expected, noting that auditors found no money missing and no misuse of the computer systems at Village Hall.
“I thought it was a very fair review,” Mr. Teller said. “It was done in a timely and professional manner, and the people from the state were very helpful in identifying what could be a loophole or an opening for somebody to get into the computers. Everybody here agrees with them. It’s a matter of putting it into practice.”