Audit Report on the Development and Implementation The Galaxy System by the Department of Education

AUDIT REPORT IN BRIEF

We performed an audit of the development and implementation of the Galaxy system (Galaxy) by the Department of Education. Galaxy was conceived as an integrated budgeting tool that would allow school planners to create budgets, update spending plans, and obtain access to data warehouses and other management assets needed to effectively budget resources. In 1999, the Department of Education (Department) hired Hudson Valley System to oversee Galaxy’s development and Island Computer Products (ICP) to design, develop, and implement Galaxy agency-wide.

Galaxy met the Department’s initial business and system requirements; the system design allowed for future enhancements and upgrades; and the Department generally complied with the City Charter and relevant Procurement Policy Board Rules when procuring services, equipment, and software for the system. In addition, the system met the overall goals as stated in the original system justification, and the Department followed a formal system methodology when developing Galaxy. Furthermore, Galaxy has been integrated into the Department’s Disaster Recovery Plan.

However, the Department did not hire a quality assurance consultant when Galaxy was being developed, and most users who responded to our user survey indicated that they are dissatisfied with the system. In addition, the Department has not surveyed Galaxy users to determine whether the system is adequately performing its intended functions. Moreover, the system has serious security issues that should be addressed. Specifically: log-in access is not adequately controlled; users are not required to change their passwords; there are no procedures in place to ensure that security violations are recorded, documented, and reviewed; and employees who actually use Galaxy were not trained to operate the system.

To address these issues, the Department should:

1. Engage an independent quality-assurance consultant to monitor and review development work and any system enhancements or subsequent work on Galaxy and any future system development projects
2. Immediately address all user concerns noted in this report.
3. Conduct periodic user surveys to discover common or recurring problems requiring executive management’s attention. Management should address these problems immediately.
4. Develop written policies and procedures for terminating inactive user IDs. Also, the Department should review the status of the inactive users and terminate access as appropriate.
5. Establish a procedure to record, document, and review any security violations that occur in the system.
6. Immediately provide training to all Galaxy users, distribute training discs, and introduce all users to Galaxy’s instructional Web site.