Audit Report on The Administration Of Wireless Devices And Services By The Department of Information Technology and Telecommunications

The Department of Information Technology and Telecommunications (DoITT) is charged with administering wireless devices, services, and support to City agencies, Borough Presidents, and Community Boards. Three separate DoITT groups are tasked with managing wireless devices and services—the Enterprise Mobile Technologies (EMT) group, the Telecom Audit and Reporting (TAR) group, and The Cost Recovery group (CRG). DoITT procures wireless devices, including cellular phones, BlackBerry-type devices, and air cards, and associated wireless services from Verizon, Sprint/Nextel, and AT&T. During Fiscal Year 2011, DoITT was responsible for administering approximately 31,113 wireless devices with associated service and device costs of $14,705,742—$14,004,187 for services and $701,555 for devices. DoITT also administered Police Department wireless payments totaling $3,461,656.

DoITT communicates its initiatives and policies to and works with designated Agency Wireless Coordinators to deploy and manage wireless devices and services. In order to obtain new, upgraded, or modified wireless devices and domestic services, Agency Wireless Coordinators must submit requests through the Remedy System. All requests must be accompanied by a properly completed M1 Form (see Appendix). The M1 Form records critical user data and equipment and service plan data which form the basis for Citywide inventories that DoITT maintains as a service for City Agencies. Additionally, the M1 Form serves as the agency purchase order and certifies the justification, approval, and availability of funds to cover equipment and recurring monthly service costs. Similarly, Agency Wireless Coordinators must submit wireless international service activation requests through the Remedy System. All requests must be accompanied by a properly completed Request for Wireless International Roaming Form. This form records the requesting user’s travel dates and documents the justification and authorization for services.

Each month, DoITT provides agencies detailed monthly usage reports for each of their wireless users. Agencies are responsible for verifying user data, usage, and charges.

Audit Findings and Conclusions

DoITT’s responsibility for supporting wireless devices and services needs to be redefined. Specifically, DoITT assumed responsibility beyond its mandated requirements, but did not establish policies and procedures clearly delineating DoITT and agency responsibilities. Our review found that DoITT did not implement adequate internal controls to safeguard wireless devices and ensure accountability for wireless services. Specifically, based on the results of our audit tests, DoITT and City Agencies did not ensure that wireless device issuance was properly authorized, inventory was properly accounted for, and expenditures were appropriate. As a result, DoITT did not: prevent or detect the unauthorized acquisition and use of wireless devices and services; establish accountability for more than 30 percent of City-issued wireless devices and their associated service costs; and identify unutilized, underutilized, or redundant wireless devices and services. Consequently, for the three-month period April through June 2011, the City incurred unnecessary or questionable service costs totaling nearly $1.2 million related to devices which were not linked to a City user, unutilized, and/or redundant.

Audit Recommendations

To address these issues, we make 11 recommendations including that DoITT should:

• Institute written policies and procedures that specifically address DoITT’s assumed responsibilities for supporting wireless services, including procedures to be followed by DoITT and City agency personnel responsible for wireless administration processes.
• Employ computer system edits or review processed requests to ensure that EMT staff process only wireless requests that are accompanied by properly completed M1 Forms or Request for Wireless International Roaming Forms.
• Periodically review its “NYC Employee Requests for Wireless International Roaming Service” schedule to ensure that EMT staff input all request data and activate and deactivate services in a timely manner.
• Work with City Agencies to maintain a single comprehensive inventory that records, at minimum: a user’s name and/or unique employee identification number, and agency; wireless device unique identification number, type, and disposition; and service plan type and cost.
• Continue to periodically review agencies’ usage for three-month periods, identify user plans and features with no or only limited usage, and recommend to agencies cost saving opportunities including but not limited to: canceling, downgrading, or sharing plans, and switching from monthly plans to pay-as-you- go plans.
• Work with City Agencies to identify users who are assigned multiple wireless devices and cancel redundant services.
• Work with City Agencies to identify users who are not employed in agency or City service and recommend to agencies that they cancel unauthorized services.
• Require City agency personnel to review wireless device shipments, verify and certify order quantities, and prepare and send receiving reports to DoITT’s CRG.
• Require DoITT CRG personnel to compare purchase order, receiving reports, and invoice quantities and pricing prior to approving wireless provider payments.
• Require City agency personnel to conduct periodic inventory counts, compare inventory count results to control records, and report discrepancies to DoITT.
• Segregate duties for critical wireless administration processes including but not limited to: processing requests and orders, receiving devices, activating services, and recording and making changes to inventory records.

Agency Response

In its response, DoITT disavowed nearly all responsibility for wireless administration rather than recognize that it lacks adequate controls over critical wireless functions. DoITT categorically rejected the report’s findings and conclusions on the basis that DoITT only “…verifies the availability of agency funds before placing an order for wireless devices and service. Other than budgetary verification, DoITT does not have any other oversight responsibility with regard to City agencies’ wireless devices and service.” However, throughout the audit process, DoITT did, in fact, inform us and provide us documentation evidencing DoITT’s Citywide wireless responsibilities and procedures including those for: ensuring that wireless devices and services are issued to only authorized City users for justified purposes, maintaining a Citywide inventory of wireless devices, and monitoring wireless expenditures and recommending cost-saving measures.

Moreover, in DoITT’s testimony and Finance Division Briefing Paper provided to the City Council at the Hearing on the Mayor’s Fiscal 2013 Preliminary Budget & the Fiscal 2012 Preliminary Mayor’s Management Report, DoITT detailed its Citywide wireless management and monitoring program and claimed budgetary Program to Eliminate the Gap (PEG) credits for resulting Citywide cost savings. DoITT cannot have it both ways. DoITT cannot claim PEG credits for wireless management and “regularly monitor[ing] unused lines, underutilized lines” and subsequently assert that the report “goes astray in its very first sentence” for stating that DoITT is charged with administering wireless devices and conclude “[f]ounded as it is on this demonstrably false premise, the balance of the report, its conclusions, and subsequent recommendations are without merit.”

DoITT rejected nine of the 11 report recommendations based on the above position that it has no responsibility beyond the budgetary. We find this position puzzling. As stated in our report opinion, “DoITT’s responsibility for supporting wireless devices and services needs to be redefined. Specifically, DoITT assumed responsibility beyond its mandated requirements but did not establish policies and procedures clearly delineating DoITT and agency responsibilities.” Our review determined that enhanced oversight of wireless administration with clearly defined roles (including the possibility of centralized oversight) is necessary to safeguard wireless devices and ensure accountability for wireless services. Based on our opinion, we do not understand how DoITT can reject recommendations that aim to clarify its role as well as strengthen and ensure compliance with existing DoITT policies and procedures.