Audit Report on the Reliability and Integrity of the Department of Housing Preservation And Development’s Emergency Repair Program Data

EXECUTIVE SUMMARY

(pdf 170kb)

We performed an audit of the reliability and integrity of the Department of Housing Preservation and Development’s (HPD) Emergency Repair Program data. The responsibilities of HPD include maximizing the availability, affordability, and quality of housing in New York City. HPD’s Central Complaint Bureau, which is part of the City’s 311 government information system, receives all complaints about emergency conditions from tenants in privately-owned and City-owned buildings. These complaints are entered into the HPDInfo computer system.

If the repairs are not made within the 24-to-72-hour period, HPD, through its HPDInfo’s Emergency Repair Program (ERP),1 hires a contractor or assigns its own employees to make the repair. Regardless of whether HPD employees or vendors correct the emergency condition, HPD notifies the Department of Finance (DOF) of the cost of the repair. DOF is responsible for billing the owner for the cost of the repair.

Audit Findings and Conclusions

The ERP data exists in a secure environment with restricted access and is readily available to its users. We found that data in all mandatory fields is entered in the correct data format (i.e., numerical format, date format, or letter format). However, we uncovered inaccurate and incomplete data, and unused data fields within ERP database. Access to ERP data is obtained through a pre-approval process, although access-control weaknesses exist: ERP is not equipped with an automatic lockout feature for invalid login after a predetermined number of unsuccessful attempts to access ERP data, and users no longer employed by HPD or on leave still maintain active ERP access. Therefore, we could not ascertain whether the ERP database is accurate, complete, or reliable for the process of paying vendors and billing property owners.

Audit Recommendations

To address these issues, we recommend that HPD:

Perform an edit check and create a system control to ensure that the ERP vendor information is complete, accurate, and up-to-date.

Review ERP tables, deleting any unused fields in a particular table, thus eliminating the possibility that inaccurate information is introduced into the system.

Develop written policies and procedures for password-security control for the ERP database.

Develop written policies and procedures for tracking system users and terminating inactive User IDs. In addition, HPD should periodically review the status of inactive user accounts and terminate access, when appropriate.

Terminate inactive accounts identified in this audit.