A state audit shows inadequate security policies has put the Virginia School for the Deaf and Blind at risk for information technology breaches, and it has uncovered accounting lapses related to a construction project.
The 173-year-old school lacks most of the information "to develop and implement an information-security program that provides assurance over data confidentiality, integrity and availability," according to the audit.
Walter Kucharski, state auditor of public accounts, said no security breeches have occurred but the report should be a warning.
"Is anybody stealing from them today, or has anything bad happened? No," he said. "This is basically a cautionary tale to say, "You need to think about this stuff."
The accounting issues are related to a roughly $71 million construction effort to consolidate the Staunton-area school with the Hampton School, according to the audit.
For example, the school paid seven invoices that included travel expenses without supporting documentation and one that included overcharges for shipping fees.
In addition, school Superintendent Nancy C. Armstrong approved an architect and engineer invoice after it was paid, the audit states.
Ms. Armstrong said the errors have since been corrected.
Mr. Kucharski said the computer-security concerns are more about the school being so small, and less about institutional problems.
"If you lose one or two people, you could knock your IT department off and they wouldn't know how to react," he said. "And the same thing is true with the accounting department."
Ms. Armstrong said the school is addressing that concern by implementing an Information Security Program that includes more cross-training.
"We've always done cross-training, internal controls," she said. "We've just stepped that up."
The school is also in the process of replacing its computers to end costly oversight from the Virginia Information Technologies Agency (VITA), which oversees IT networks for state agencies.
The school will keep administrative functions on the state network but will have to install a new system for its instructional computers.
The school's annual bill from VITA was roughly $335,000.
State Sen. Emmett Hanger, Augusta Republican and chairman of the school's Board of Visitors, said the school was forced to be part of the state system because it was established as a state agency.
"No other school of any type was falling under the purview of VITA," he said.
The school still has 60 computers on campus until it can replace them with their own, which should occur by Christmas, Ms. Armstrong said.
Defense contractor Northrop Grumman runs the state's data centers, help desks and other IT operations as part of a $2.3 billion contract — the largest single-payer contract in the history of Virginia government.
Last year, the state agreed to extend the 10-year contract by another three years and pay nearly $200 million more, despite state agencies and the company clashing over payments and the quality of services.
The Virginia School for the Deaf and Blind also wants to separate from Virginia's Payroll Services Bureau, which started processing payroll, leave accounting and certain benefits data functions for the school Jan. 1, 2010.
Ms. Armstrong, in her response to the audit, asked that the school retain its own payroll staff, which it had done because of the number of errors it has experienced with the state service.
"When you're talking about government services and money, it's costing us double, which doesn't quite seem efficient to me," she said. "I thought it was a redundancy, and still think it's a redundancy."
Comptroller David A. Von Moll acknowledged issues during the transition, but said the new system is now working well.
"We're in routine communication with all of our customers," he said. "We're operating under the assumption that things are going smoothly."
© Copyright 2015 The Washington Times, LLC. Click here for reprint permission.