Audit Report on the Development and Implementation of the Notice of Violation Administration System by the Department of Sanitation

AUDIT REPORT IN BRIEF

We performed an audit of the development and implementation of the Notice of Violation Administrative System (NOVAS) by the Department of Sanitation (DSNY). DSNY is tasked to promote a healthy environment through the efficient management of solid waste by developing environmentally sound, long-range planning to handle solid waste and refuse. According to the City Charter (§753 (6) (b) and (c)) the Commissioner of DSNY may adopt and must enforce regulations regarding the collection of refuse and other material, including by issuing summonses for violations of regulations.

Previously, the summons-issuance process, from the issuance of paper summonses to the creation of management reports, was performed manually using paper. However, in 2004, DSNY contracted with ICICI InfoTech, Inc.¹, to develop NOVAS, a computerized system that would streamline the entire summons-issuance and management process. The contract with ICICI InfoTech, Inc. was valued at approximately $4.5 million.

In 2006 NOVAS became operational, which allowed the DSNY Enforcement Agents and Sanitation Police Officers to use portable handheld devices to issue summonses, replacing the manual writing of paper tickets. Agents can now enter and print violations using the device. At the end of each work day, the information on the summonses stored in the handheld devices is downloaded into the NOVAS central server, batched, and sent to the Environmental Control Board (ECB) for adjudication.

Audit Findings and Conclusions

NOVAS met the overall goals as stated in the original system justification; and the system design allowed for future enhancements and upgrades. DSNY followed a formal system development methodology when developing NOVAS. Also, DSNY has a network architecture configuration for NOVAS that was approved by DoITT. NOVAS complies with Electronic Signature and Records Act Federal guidelines, and the handheld devices are physically secure when not in use. However, the results of our user surveys indicated that the users have problems or concerns that DSNY must address to improve the system’s functionality and productivity. Also, our data integrity tests indicate that DSNY must address specific issues to improve the reliability of the system.

Audit Recommendations

To address these issues, we recommend that DSNY:

• Address the user concerns revealed in our survey. In that regard, DSNY should consider improving the screens of the handheld device, adding additional space in the violation detail section, deleting unused items, adding additional menu options as well as correcting misspelled words in the drop-down section, and providing additional training to those users who reported that they had limited knowledge of the system.

• Correct the data fields noted as having incorrect information and create adequate input controls or adequate data validation checks to ensure that no further data entry errors are allowed.

• Correct the mandatory data fields noted that are blank and create edit checks to ensure that processing of data cannot be finalized until all mandatory fields are completed.

• Review NOVAS system tables, deleting any unused or unnecessary fields in a particular table, thus eliminating the possibility that inaccurate information is introduced into the system.

• Enforce the requirement for users to change their password every 45 days. In that regard, DSNY should program a warning in NOVAS reminding the users to change their password. If the password is not changed, the user should be locked out and access disabled.

• Develop written policies and procedures to terminate inactive user IDs. In addition, DSNY should immediately terminate the access of those individuals who are no longer employed by the agency. Further, DSNY should review the status of the inactive users and terminate access as appropriate.

• Complete and approve a formal, comprehensive disaster-recovery plan for NOVAS in accordance with DoITT’s Business Continuity Directive.

• Periodically test the formal, approved disaster-recovery plan.