Skip to content
Home » Cayuga County » Auburn » State audit finds gaps in Auburn school building access controls

State audit finds gaps in Auburn school building access controls

State audit finds gaps in Auburn school building access controls

A state audit found the Auburn Enlarged City School District failed to consistently deactivate unnecessary building access badges, track shared credentials or prevent some users from holding multiple active badges, creating a potential risk of unauthorized entry into its schools.

The review by state Comptroller Thomas DiNapoli’s office examined the district’s building access system from July 2024 through November 2025, with access logs reviewed through Jan. 29, 2026. Auditors found the district had 1,276 active access accounts across eight school buildings, including hundreds assigned to employees, contractors, coaches, vendors, first responders and other non-employees.


District officials generally agreed with the findings and said they have already deactivated unnecessary credentials, adopted a new access-control policy and created a twice-yearly review process.

The district must submit a written corrective action plan to the comptroller’s office within 90 days. The plan must also be posted publicly on the district’s website.

Duplicate and unnecessary badges remained active

Auditors found 26 district employees and one non-employee had two active access badges apiece.

Some duplicate badges were issued after original credentials were damaged, but the old badges were not disabled. One Information Technology Department employee also had an additional badge for testing purposes, although the district’s technology director told auditors he did not know the badge existed and said it was unnecessary.

Superintendent Misty Slavic also had a second active badge. She told auditors it was retained for use during building lockdown emergencies and was necessary for her position.

Auditors said retaining multiple active credentials increases the risk that a badge could be lost, stolen or used to gain unauthorized access. The unnecessary replacement and testing badges reviewed during the audit were disabled before fieldwork ended.

The district’s system included 828 badges issued to 802 current employees. Another 448 badges were associated with non-employees, including contractors, first responders, coaches, service providers and other individuals.

Auditors reviewed 25 of the 311 access accounts assigned to individual non-employees and found eight, or 32%, were no longer needed. Those badges had been issued to people who no longer provided services to the district but remained active because department heads had not notified the IT Department to revoke access.

The district disabled all eight credentials during the audit.

Shared badges were poorly tracked

The most significant weaknesses involved shared badges that were connected to a role or function rather than a specific person.

The district had 137 active shared badges. Sixty were designated for first responders, which officials said were needed for law enforcement access. The remaining 77 were issued for purposes involving coaches, contractors, substitutes, interns and other users.

Auditors said those 77 badges did not comply with the district’s own procedures, which required access credentials to be assigned to individual users.

Seven of the shared badges had never been used, while another 16 had not been used in at least three years.

Auditors selected 13 shared badges for closer review and found 11, or 85%, were unnecessary.

Six were overseen by the Athletics Department and intended for coaches. The department’s assistant could not identify the location of four badges.

Of the remaining two, one had been given to a coach who was already a district employee and had another individual badge. The employee used both credentials to enter district buildings.

The other was issued to a non-employee coach who did not return it after the coaching season ended.

Two additional badges were held by former contractors who no longer worked for the district. Another had been issued to the district’s mail service provider for convenience, although officials acknowledged it was not necessary.

The remaining unnecessary credentials had been issued to an intern and a substitute secretary who no longer worked for the district.

Officials from the Athletics and Facilities departments did not know which coaches or contractors still had active badges until auditors provided them with a list. Those departments had also failed to tell the IT Department when the access was no longer needed.

All 11 unnecessary badges identified in the sample were disabled during the audit.

Procedures existed but were not consistently followed

The district had written procedures identifying who could create access accounts, who could receive credentials and which officials were responsible for revoking access. The procedures also established limits on when and where a person could use a badge.

Auditors found those rules were not consistently followed.

The technology director said the procedures were created in August or September 2025 as part of corrective action following a separate cybersecurity audit. However, they had not been distributed to all key employees because officials were still finalizing them.

As a result, some staff members responsible for coaches, contractors and other non-employees did not understand their obligations to track or revoke building access.

The IT Department also did not periodically review all active credentials to determine whether they remained necessary.

Auditors said the district’s eight school buildings each have one public entrance, while employees may use other secured doors with electronic credentials. That makes the management of access badges a fundamental part of school security.

The comptroller’s office said schools should assign each authorized user a unique credential, avoid shared badges whenever possible and immediately disable access when an employee, contractor or other user no longer needs it.

Access should also be routinely reconciled against employment records, contractor lists and departmental needs.

District says corrective work is underway

In its written response, the district said it had already completed a broad review of badges issued to employees, coaches, contractors, food service workers, mail service providers, substitutes and other users.

Officials said duplicate, inactive and unnecessary credentials identified during the audit were deactivated, and replacement badges are now disabled when new credentials are issued.

The Board of Education adopted a Building and Door Access Control Policy in May. According to the district, the policy establishes authorization standards, individual badge requirements, review schedules and oversight responsibilities.

The district also created an administrative regulation governing new users, special access requests, non-employee credentials, terminations, monitoring and reporting.

A standardized electronic request form is now being used to document new access, changes and removals.

The district said the IT Department will conduct access reconciliations twice per year with designated staff from Athletics, Facilities, Food Service, Student Services and other departments.

Auditors issued five formal recommendations, including immediately disabling unnecessary accounts, eliminating duplicate badges, assigning credentials to individual users, distributing access procedures to responsible staff and reviewing active badges through regular system reports.

The district said the audit exposed weaknesses in communication, documentation and oversight but left it in a stronger position to manage access going forward.