Audit Report on the Development and Implementation of the Enterprise Asset Management System by the New York City Fire Department
This audit assessed the development and implementation of Enterprise Asset Management System (EAMS) by the Fire Department (FDNY) and determined whether EAMS meets the overall asset and inventory management goals and the business and system requirements of the FDNY and whether it also allows for future enhancement and upgrades.
Prior to 2003, the FDNY depended on a manual, paper-based system to record and track various internal requests made each year for service, repair, or replacement of installed equipment at FDNY facilities. To address many of the shortcomings inherent in its manual process and to maximize the efficiency and computerization of all internal processes of the purchasing, asset, and inventory management controls, and audit procedures required by the City, the FDNY entered into a contract with ICICI, Inc., (ICICI) to purchase and customize an assets management application. EAMS was the product that ICICI was to create for the FDNY from the application. From May 2004 to June 2004, EAMS was implemented in all five boroughs. ICICI was paid $1.1 million for the development of EAMS.
Audit Findings and Conclusions
A formal system methodology was agreed to by both the vendor, ICICI, and the FDNY, and was adhered to during the course of the system’s integration. EAMS generally functions reliably, contains accurate information, and reasonable controls are in place to keep it secure from unauthorized access. EAMS has been fully incorporated into the Building Maintenance Division (BMD) processes—the division responsible for the repair and maintenance of FDNY buildings. Therefore, implementation is considered complete, and the FDNY is in the process of fine-tuning the application. EAMS was procured in accordance with the provisions of the City Charter and the Procurement Policy Board (PPB) rules.
However, EAMS has no formal disaster-recovery plan or written policies for information-protection, logical or physical security, or for application-change control. Officials of the FDNY believe that the work performed by the BMD is of a critical nature to the FDNY mission. In that regard, the lack of these plans and policies increases the likelihood that the system will be vulnerable to unauthorized access, abuse, theft of equipment, and the loss of mission-critical information, especially in the case of a disaster.
Audit Recommendations
To address these issues we recommend that the FDNY should:
1. Assess EAMS’s vulnerabilities and create a formal information protection plan to minimize the risks of exploitation of those vulnerabilities in accordance with Comptroller’s Directive #18 requirements.
2. Create a formal disaster-recovery business continuation plan for EAMS in accordance with Comptroller’s Directive #18 requirements, and periodically test the effectiveness of the plan.
3. Create a formal security policy that addresses physical and logical security; outlines the agency’s requirements and methods to maintain control over its information resources; and states the responsibilities of each user to comply with the established procedures—all in accordance with Comptroller’s Directive #18 standards.
4. Create a formal change-control policy for EAMS according to Comptroller’s Directive #18 requirements.