Assessment and Evaluation of The School District of Philadelphia’s Oracle Information Technology General Controls and Applications Controls Fiscal Year 2025

Download Full Report
Date: April 16, 2026
Categories
  • Departmental
Controller: Christy Brady
Tags
  • Information Technology,
  • School District

Executive Summary

Why the Controller’s Office Conducted the Audit

In accordance with the Philadelphia Home Rule Charter, the Office of the City Controller engaged Eisner Advisory Group, LLC (EisnerAmper) to conduct an assessment of the Information Technology (IT) general controls and application controls related to the School District’s Oracle Enterprise Resources Planning (ERP) system. The assessment was focused on the Oracle functions: Human Capital Management (HCM) Payroll/HR Module and the Expenses Module (Travel and Employee Reimbursement). The objective of this assessment was to evaluate the IT controls over key financial-related applications in connection with the audit of the School District of Philadelphia’s Annual Comprehensive Financial Report for the fiscal year ended June 30, 2025.

What the Controller’s Office Found

Key findings in the report are listed below. We believe these findings and others described in the report warrant the attention of management.

  • The annual user access review was not focused on a complete listing of users and accounts across the School District, management did not formally document the methodology used to assemble and validate the completeness of the user access listing, and supporting documentation for requested access changes was not consistently retained.
  • Although management performed periodic reviews of Lightweight Directory Access Protocol (LDAP) administrator as part of ongoing risk-assessment and security-monitoring activities, these reviews were not formally documented or supported with evidence of completion or approval.
  • Management did not complete an annual Profile-to-Role review in Oracle, including an analysis of potential incompatible role combinations.
  • For each of the three (3) configuration changes tested, the change documentation did not specify the individual responsible for migrating changes to production, preventing confirmation that migrations were performed by an authorized individual independent of the application developer.

What the Controller’s Office Recommends

The Controller’s Office has developed a number of recommendations to address the findings noted above. These recommendations can be found in the body of the report.

Back to All Reports.