Audit Report on the Civilian Complaint Review Board’s Controls over Its Inventory of Computers and Related Equipment

May 23, 2018 | MD18-067A

Table of Contents

    EXECUTIVE SUMMARY

    The objective of this audit was to determine whether the New York City Civilian Complaint Review Board (CCRB) has adequate controls over its inventory of computers and related equipment.

    The CCRB is an independent agency that was established by Local Law #1 of 1993.  It receives, investigates, prosecutes, mediates, hears, makes findings and recommends action on complaints alleging the use of excessive or unnecessary force, abuse of authority, discourtesy or the use of offensive language by New York City Police Officers.  The CCRB consists of 13 members of the public who are City residents and reflect the diversity of the city’s population.

    Computers and related equipment (including mobile devices) play a vital role in helping CCRB staff achieve the agency’s mission.  Among other things, investigation squads are assigned cameras, recorders, laptops, and other mobile devices to use in the field.

    The CCRB’s Management Information System (MIS) Unit and Operations Unit each have responsibilities for managing the agency’s inventory of computers and related equipment.  The MIS unit is responsible for tracking the CCRB’s inventory of network appliances, servers, laptops, printers, and desktop computers, while the Operations Unit maintains the CCRB’s inventory of smartphones, desk phones, iPads, voice recorders, and cameras.  Each unit maintains its inventory records in Excel spreadsheets, which as of July 31, 2017, included 912 items tracked by the MIS unit and 166 devices tracked by the Operations Unit.

    Audit Findings and Conclusion

    The CCRB’s controls over its inventory of computers and related equipment are deficient in a number of areas.  Although we were able to locate 96 percent of the sampled equipment listed in the CCRB’s inventory records, we found that the inventory lists maintained by the CCRB contained inaccurate and incomplete information for some of the listed equipment items and did not list other items that were in the CCRB’s custody.  In addition, although the CCRB uses sequential, pre-numbered property tags to account for its equipment, we identified numerous missing sequential tag numbers that the CCRB could not account for.  In the absence of an accounting or a verifiable explanation for why those tag numbers were missing from the CCRB’s inventory records, we were unable to ascertain whether they had been assigned to equipment that was not listed in the CCRB’s inventory records or whether they had been skipped, that is, never issued or used by the CCRB.  We also found items in the CCRB’s custody that did not have number-tags affixed and items that were listed in the CCRB’s inventory records without tag numbers.  Further, we found that equipment serial numbers for the CCRB’s Cisco desk phones are not tracked, making it difficult to account for those items and consequently increasing the risk that they could be misappropriated or lost without detection.  Other deficiencies noted in the audit include that the CCRB: (1) does not ensure that obsolete items are relinquished; (2) has inadequate written inventory policies; and (3) maintains an inadequate segregation of duties in relation to its computer equipment management.

    Finally, we found that the CCRB does not adequately monitor the use of its mobile devices and incorrectly charged expenses to the budget code 332 (computer equipment) in FMS.

    Audit Recommendations

    Based on the audit, we make 10 recommendations, including:

    • The CCRB should strengthen its inventory management controls to ensure that all equipment is properly accounted for, assigned to the correct employee, tagged and secured.
    • The CCRB should ensure that tag numbers are sequentially assigned to all equipment and tracked.
    • The CCRB should ensure that Cisco phones are recorded in inventory records along with their serial numbers, and that the phones are tagged.
    • The CCRB should comply with OSA’s relinquishment policy and ensure that all unused computers and related equipment presently in storage is relinquished in accordance with the requirements.
    • The CCRB should ensure that key responsibilities for the management of the inventory of computers and related equipment are adequately segregated or institute compensating controls if a segregation of responsibilities is not feasible.
    • The CCRB should ensure that its records reflecting all authorized users of all of its mobile devices are updated, made complete and accurate, and reconciled with its monthly billing statements for mobile device usage, so that it pays only for wireless services actually provided to authorized employees.
    • The CCRB should ensure that its payments are charged to the correct object codes.

    Agency Response

    In its response, the CCRB agreed with the audit’s 10 recommendations.

    $242 billion
    Aug
    2022