Executive Summary
Why the Controller’s Office Conducted the Audit
In accordance with the Philadelphia Home Rule Charter, the Office of the City Controller audited the School District of Philadelphia’s (District) basic financial statements as of and for the fiscal year ended June 30, 2021, for the purpose of opining on its fair presentation. As part of this audit, we reviewed the District’s internal control over financial reporting to help us plan and perform the examination. We also examined compliance with certain provisions of laws, regulations, contracts, and grant agreements to identify any noncompliance that could have a direct and material effect on financial statement amounts.
FY21 Report Findings
The Controller’s Office found that the District’s financial statements were presented fairly, in all material respects. During our audit, we identified one significant deficiency and one condition regarding the District’s internal control over financial reporting that require management’s attention. These matters include:
- Inadequate Review of Access Controls and Segregation of Duties (Significant Deficiency)
As part of the audit of the District’s fiscal year 2021 Annual Comprehensive Financial Report, the Controller’s Office, through the use of an independent accounting firm, performed an assessment of the information technology application and general controls related to the District’s new Oracle system. The assessment identified that there was no requirement to identify incompatible user access permissions as part of the system implementation. As a result, users could have access not commensurate with their job responsibilities and users may have access across incompatible roles, responsibilities, and permissions within the system, which could allow a user to bypass system controls. - Although Improved, Backlog of Termination Payments Still Exists (Other Condition)
Since fiscal year 2008, the Controller’s Office has noted that the District is not processing termination payments to former employees in a timely manner. Although much improved, the District continues to have a backlog of termination payments to process and distribute. At the conclusion of our fiscal year 2021 audit, we found that termination payments totaling $2.7 million were owed to nearly 500 former employees who had separated since fiscal year 2019.
What the Controller’s Office Recommends
The Controller’s Office recommends that the District formally identify the areas of responsibility related to security and provisioning of access for the Oracle system and include them in an overall security program or policy. The security program or policy should include a requirement for periodic reviews of access, which should include segregation of duty considerations. The District should also develop a comprehensive document that identifies incompatible roles, responsibilities, and permissions, clearly. Additionally, the Controller’s Office recommends that the District continue to work to resolve the backlog of termination payments.