Audit Report on the Development and Implementation of the Senior Tracking, Analysis and Reporting System Administered by the Department for the Aging

Executive Summary

We audited the New York City (the City) Department for the Aging’s (DFTA) Senior Tracking, Analysis and Reporting System (STARS) to determine whether the application meets the overall goals as stated in the system specifications, has adequate functions to ensure the information process is reliable, and is secure from unauthorized access.

DFTA is charged with promoting the independence, health and well-being of senior New Yorkers through advocacy, education, and the coordination and delivery of services.  DFTA receives federal, state and city funds for these purposes.  These funds are distributed by DFTA through contracts with over 500 direct service providers.  DFTA services include hot meals and activities at Senior Centers, home-delivered meals, case management, home care, transportation, and legal assistance.

In July 2012, DFTA contracted with PeerPlace Networks LLC (PeerPlace) to customize their data management software into a single product called STARS to replace two computer systems.  STARS is an internet-based system developed to manage and track client services.  It contains one master client database that serves as the central repository of information for all connected service providers.  STARS also contains modules tailored for specific services, such as preparing client route information for home delivery meals and tracking attendance at Senior Centers.  Authorized users can create client profiles, update client data, send referrals to other programs, and run reports based on their privilege level.  STARS was implemented in April 2013 at Senior Centers, and expanded to other service providers soon after.

Audit Findings and Conclusions

Our audit found that the overall goals of STARS as stated in the system specifications have generally been met.  STARS provides a centralized system to share client information between DFTA and its contracted service providers.  However, we found that during the system development stage, DFTA did not comply with the rules of the New York City Procurement Policy Board (the PPB Rules) in connection with changes that were made to the contract deliverables.  In addition, we found that DFTA failed in its implementation of STARS to comply with the Security Accreditation Process, a citywide Department of Information Technology and Telecommunications (DoITT) policy.  We also found security control weaknesses in STARS, including that users are not required to periodically change their passwords, multiple users shared one account, and inactive employees’ accounts were not disabled immediately.  Further, we found system deficiencies that could affect the security and accuracy of client data, including unexpected user log outs, the ability to enter future dates for past events, and duplicate client records.

Audit Recommendations

To address these issues, we made 17 recommendations including that DFTA should:

• Ensure any future contract changes are made in full compliance with the PPB rules.
• Ensure that STARS complies with DoITT’s Citywide Security Policies and Standards.
• Require STARS users to comply with DoITT’s Password policy.
• Ensure all terminated or inactive employee accounts are immediately deactivated from STARS.
• Review all accounts and ensure that STARS users are granted only the minimum level of privileges necessary for them to perform their job functions.
• Restrict STARS administrators’ access to their assigned jurisdiction only.
• Work with PeerPlace to identify and resolve the condition that’s causing unexpected user logouts.
• Work with PeerPlace to implement an event modification feature in the software, and create a policy and procedure for deleting/correcting erroneous event entries.
• Work with PeerPlace to ensure that all date fields are validated prior to accepting data entry.

Agency Response

In its response, DFTA generally agreed with the audit’s findings and the recommendations.  The agency stated, “DFTA will be following up on these recommendations as it continues its ongoing work to further enhance and improve STARS functionality.”