Audit Report on the Development and Implementation of the Contract Data System by the Department of Design and Construction

EXECUTIVE SUMMARY

The Department of Design and Construction (DDC) uses in-house resources and private consultants and contractors to provide design and construction services related to: streets and highways; sewers; water mains; correctional and court facilities; cultural institutions; libraries; schools; and other public buildings, facilities and structures.

DDC hired Deloitte & Touche Consulting Group/DRT Systems (DRT) in April 1998 to design and develop its Contract Data System (CDS), a customized computer application to centrally maintain information on all DDC contracts. CDS assists DDC in managing the City’s capital commitment plan, project schedules, and budgets. Phase I of CDS’s development, implemented in November 1999, provides links from contract data to project and payment data in other DDC systems (i.e., the Project INFO, Contract Ledger, and PAYLOG systems). Phase II, implemented in June 2001, adds functionality related to lists of pre-qualified vendors and awarded and renewed contracts. Preliminary planning for Phase III began in November 2001 and will include vendor performance tracking and enhanced historical information on contracts.

Our audit objectives were to determine whether:

• DDC followed a structured methodology for developing CDS;
• CDS meets users’ needs;
• CDS allows for future enhancements and upgrades;
• users are satisfied with the system.

Our fieldwork was conducted from October 2001 to March 2002. To achieve our objectives we reviewed and analyzed DDC’s:

• Project/Contract Info Functional Specifications;
• Project INFO Logical View Report;
• Info Graphical Interface Designs;
• User Review Results/System Corrections log; and
• the CDS development and implementation plans.

In addition, we interviewed DDC officials, verified whether the system met design specifications, and conducted a user satisfaction survey.

Since the City does not have a formal Systems Development Methodology, we used the following as criteria for this audit:

• New York City Comptroller’s Internal Control and Accountability Directive 18, "Guidelines for the Management, Protection and Control of Agency Information and Information Processing Systems" (Directive 18); and
• National Institute of Standards and Technology Special Publication 500-233, "A Framework for the Development and Assurance of High Integrity Software" (NIST).

This audit was conducted in accordance with generally accepted government auditing standards (GAGAS) and included tests of the records and other auditing procedures considered necessary. This audit was performed in accordance with the City Comptroller’s audit responsibilities as set forth in Chapter 5, § 93, of the New York City Charter.

DDC followed a structured methodology for developing CDS. The system, as developed, allows for future enhancements and upgrades. Phases I and II meet user needs, and users are generally satisfied with the system. However, DDC did not remove accounts of four inactive users from the system. Directive 18, § 8.1.2, states, "Active password management includes deactivation of inactive user accounts and accounts for employees whose services have terminated."

To address this issue, we recommend that DDC develop and implement a procedure to terminate inactive user accounts.

The matters covered in this report were discussed with officials from DDC during and at the conclusion of this audit. A preliminary draft was sent to DDC officials and discussed at an exit conference on May 14, 2002. On May 15, 2002, we submitted a draft report to DDC officials with a request for comments. We received a written response from DDC on May 30, 2002. DDC generally agreed with the audit’s finding and recommendation, stating that "DDC is pleased with the findings of the report and agrees with the audit’s one recommendation."