We audited the New York City Department of Consumer Affairs’ (DCA’s) development and implementation of the Accela system to determine whether the system meets DCA’s overall goals and whether it has adequate functions to ensure that the information process is reliable and secure from unauthorized access.

DCA licenses more than 81,000 businesses in more than 50 industries and enforces key consumer protection, licensing, and workplace laws including the paid sick leave and commuter benefits laws.  DCA also inspects businesses to ensure compliance with license and weights-and-measures regulations, and investigates complaints received from the public through 311 and other means.  In enforcing these laws and regulations, the agency also provides mediation of consumer complaints and secures restitution for consumers.

In 2011, DCA, under a master contract with the Department of Information Technology and Telecommunications (DoITT), contracted with Accenture LLP to develop a new Enterprise Licensing and Permitting system by customizing the off-the-shelf software from Accela, Inc. to meet DCA’s business needs.

Audit Findings and Conclusion

Our audit found that DCA’s Accela system is currently operational and generally meets its overall system specifications.  However, we found certain system deficiencies.  Specifically, we found input fields with insufficient validation checks to ensure the validity of entered data.  Further, we found that user access was not consistently disabled for inactive users and former employees, and that DCA did not enforce password expiration rules that would limit access to authorized users.

In addition to these findings, we conducted a User Satisfaction Survey of DCA personnel who use Accela.  In response to that survey, a good portion of the respondents reported problems with the system.  Specifically, 42 percent of the respondents indicated that the Accela system requires repetitive data entries, 22 percent stated that Accela is not easy to use, and 49 percent would like to see changes made to the system.  Further, the survey respondents noted several specific concerns, which include that the system is slow, has frequent crashes, and is hard to search.

Audit Recommendations

To address these issues, we made the following five recommendations that DCA should:

  • Require validation checks for all applicable fields, including for dates and EINs in the Accela system to ensure that only valid data can be entered into the system.
  • Terminate access to the Accela system for those individuals who are no longer employed by a City agency.
  • Periodically contact external agencies and review the status of the external users and terminate access as appropriate.
  • Ensure Accela Account Management Policy and Procedures are enforced for external agency users. Install a lockout feature that automatically disables access to the system if passwords of external users are not changed after 90 days.
  • Consider the users’ concerns identified in the User Satisfaction Survey and take appropriate steps to address them.

Agency Response

In its response, DCA generally agreed with four recommendations and stated that one is “already in place.”  At the same time, DCA took issue with some findings in the report.  However, DCA stated, “We are in the process of upgrading Accela.  The tentative release for the upgrade is August 2017.  With the release of new features by Accela, the upgrade is intended to address certain concerns upon rollout.”