'Our district, like many other organizations, had a security breach,' VCS said in a statement.
A state audit report has identified a series of blunders at Volusia County Schools, including flawed implementation of a multimillion dollar software program, insufficient accounting of district resources, and a security breach that sent hundreds of thousands of district dollars to a bank account that appears to be linked to an overseas fraud scheme. “District security management needs improvement,” the report states.
The district told the Observer that it has learned from the errors and has made changes to prevent similar problems in the future.
In July, an operational audit by the state's auditor general for Volusia County Schools and its school board found that the district did not use a board-established steering committee or "other effective procedures" to ensure the implementation of its new financial system was successful.
The operational audit by the state’s auditor general, released in July, found that the district had not used a board-established steering committee or “other effective procedures” to ensure the implementation of its costly new financial system was successful, according to the audit report.
The new financial system was never fully implemented even though the district spent $5.2 million in 2017 in contract costs with company CherryRoad Technologies, plus another $2.4 million for four change orders between December 2018 and November 2020.
The audit also found that the district needlessly spent $1.34 million trying to implement the human resources application of the Oracle Fusion financial system. VCS decided in August 2021 to continue using the previous application because Oracle Fusion’s “did not produce correct employee pay amounts.”
In May of this year, district personnel indicated that they were trying to negotiate reimbursement from CherryRoad Technologies.
The unsuccessful implementation — one phase of the system could not be implemented, and the other phases were implemented a year after the contract’s implementation dates — was an outcome that a former VCS employee had repeatedly warned the district about.
“If we are ever lucky enough to ‘make’ this software work, it will most likely be the most expensive ERP [enterprise resource planning] solution ever brought forward to a K12 institution with both the minimal and most complicated functionality,” ex-employee Alex Kennedy wrote in a 2018 email to a director who is no longer with the district.
Kennedy, who worked as an assistant director of applications and infrastructure with the district, was told his position was going to be eliminated in May 2020. He says he was fired for warning about the software.
A resident of Ormond Beach, Kennedy had worked for the district for 13 years. He filed a lawsuit for whistleblower retaliation in August 2020. The judged ruled in the district’s favor in December 2021, finding that Kennedy’s situation did not constitute a violation of the Florida Public Sector Whistleblower Act. Kennedy appealed the decision in January.
Due to the pending litigation, the district declined to comment regarding Kennedy’s claims.
For Kennedy, the audit is evidence of the prescience of his warnings to the district and supports his case that the district retaliated against him. “It’s an act of god to basically fight whistleblower retaliation,” he said. “I’ve been suffering for two years now.”
Kennedy has applied three times for the school district’s chief information officer position.
A 'money pit'
School Board member Carl Persis described the time period between 2018 to 2021 as a “perfect storm of events.” He and School Board member Linda Cuthbert are the only board members to remain in office who were also present when the new financial system was chosen.
Since then, two superintendents have been fired, schools were impacted by the COVID-19 pandemic, the district has changed its chief financial officer and there have been further changes in the district’s IT department — all areas which were cited in the audit, Persis said.
“I think we obviously made a mistake in the purchasing of that system,” said Persis, adding that Oracle Fusion proved to be a “money pit” as the district tried to implement it.
It conflicted with the system for human resources, payroll and tangible property inventory. When the board had asked when the system would be fully implemented, staff would respond that they were almost there, or that outside help was needed. Persis said it has been a learning experience, but that he doesn’t blame any one person because there was so much change at the district during the system’s implementation.
“[Superintendent Carmen Balgobin] has hired new people at the top of all of these departments, and I have confidence in the new leadership that we will be moving forward,” Persis said. “We are taking corrective action. We’ll certainly learn from this mistake and I feel confident that we’re headed in the right direction now.”
Overseas fraud scheme
The state audit also found that “district personnel did not always verify vendor bank accounts before electronic payments were made to those accounts, and as a result, electronic payments totaling $359,566 for vendor services were made to a wrong bank account.”
“Our district, like many other organizations, had a security breach,” VCS said in a statement. “The incident was properly reported to the authorities and our board. The losses were substantially covered by insurance. Changes to our processes and staff were made to ensure that future risks were minimized. The auditor general is obligated to report the incident in our annual audit report. We have discussed this matter with the auditor general and are confident that the changes made will protect us.”
That incident took place during the 2020-2021 fiscal year, and the audit states that the DeLand Police Department said that a theft investigation was in progress, and that the theft “appeared to be the result of an overseas fraud scheme.”
The audit also pointed to shortfalls in the financial system: When the state asked for records identifying vendor changes for the fiscal year, district staff had said that the system “could not generate a report of the changes and other records were not readily available to identify vendor information changes.”
“Without effective procedures to document independent verification of vendor information changes before payments are made, there is an increased risk for fraud or errors to occur without timely detection and recovery of losses,” the report states.
The audit also found that required background screenings weren’t always performed on a timely basis; that the district had failed to conduct required tangible personal property inventories or get the School Board’s approval for disposal of items with a net value of $200,000; that there were some IT user access privileges that the state deemed “unnecessary” and that increased the risk of unauthorized disclosure of student personal information and district data; and that security management and IT security controls needed improvement.
The audit, while it hasn’t been discussed during a School Board meeting, was sent directly from the Auditor General’s office to all board members, according to the district.
District makes changes
On July 21, Balgobin responded to the state’s audit and provided corrective action plans.
She wrote that the vendor payment process has since been enhanced, and that background screening duties have assigned to a human resources analyst. The district hadn’t been able to perform the required property inventories after going live with the Oracle Fusion system, she reported, because the software couldn’t be used for physical inventories. The district has since acquired another school software system for that. Balgobin also said the district is developing a cyber security improvement plan and training for employees.
As far as the ERP implementation, Balgobin wrote to the state that the district acknowledges it hasn’t been fully successful. She said a new steering committee has been established to create “effective procedures to ensure efficient and effective implementation of our ERP.”
The creation of the steering committee was one of the auditor general’s recommendations, the district said in an email.
“We are reviewing the current ERP and possible new solutions,” Balgobin wrote. “The committee is establishing timelines for testing and modifying the system as we determine the full scope of functionality the district needs in its ERP and if our current systems meet those requirements.”
These issues show why it’s important to have audits, Persis said: Now the board knows about the errors and what must be done to ensure that they are not repeated.
“We can’t change what has occurred, and the people who were in charge of it at that time are no longer here,” Persis said. “... Everyone who is in charge now will nod their head and say, ‘Yeah, we agree. Mistakes were made, but this is what we’re doing now and this is how we can assure you we’re on the right track.’”