Audit Report on the Development and Implementation of the Automated City Register Information System by the Department of Finance

AUDIT REPORT IN BRIEF

We performed an audit on the development and implementation on the Automated City Register Information System (ACRIS) by the Department of Finance (Department). The goal of the system is to search records and view document images for properties in Manhattan , Queens, Bronx, and Brooklyn . The system is designed to improve access to information about real and personal property, and to improve the processing and recording of property documents and related fees and taxes.

Audit Findings and Conclusions

ACRIS is operational and generally meets the initial business and system requirements of Phases 1 and 2. Phases 1 and 2 as finished products meet the overall goals stated in the system justification. In addition, the system design allows for future enhancements and upgrades; the vendor followed a formal system development methodology; the system functions reliably, is generally secure from unauthorized access, and contains accurate information recorded on its database. ACRIS has been incorporated into the Department’s disaster recovery plan. Finally, the Department procured the system in accordance with City Charter provisions and PPB rules.

However, the Department did not hire an independent quality-assurance consultant, as recommended by Comptroller’s Directive 18, and does not have adequate controls to identify and eliminate improper user IDs or the IDs of users who are inactive. ACRIS users are not required to change their passwords regularly, and the ACRIS user list is not reviewed periodically. In addition, our survey of ACRIS users disclosed that 70 percent of the respondents would like to see changes made to ACRIS to correct problems with data entry, to standardize and enhance user screens, and to improve response time to user problems.

Audit Recommendations

To address these issues, we recommend that the Department:

• Employ an independent quality-assurance consultant to monitor and review development work and any system enhancements or subsequent work on ACRIS and on any future development projects.

• Complete and implement procedures for security controls over user accounts.

• Terminate inactive accounts identified in this audit.

• Periodically identify and terminate inactive user accounts.

• Ensure that ACRIS is more user-friendly by addressing the concerns identified in the report. In that regard, the Department should improve the timelines of the help desk response, simplify data entry, provide additional training to users, standardize user screens, and improve response times for completing multiple actions.

Conduct periodic surveys of users to ensure that their concerns are addressed.