Audit Report On The User Access Controls Of The New York City Housing Authority’s Tenant Selection System And Tenant Selection And Assignment Plan System
Our office performed an audit on the user access controls of the New York City Housing Authority’s Tenant Selection System and Tenant Select and Assignment Plan System. The goal of the New York City Housing Authority (NYCHA) is to provide decent and affordable housing in a safe and secure living environment to low- and moderate-income residents throughout the five boroughs. NYCHA screens the application, assigns a priority code based upon the information provided by the applicant, and enters the applicant’s information on NYCHA’s preliminary waiting list—the Housing Authority Tenant Selection (HATS) system. When an applicant is “certified” as eligible for NYCHA housing, this data is manually entered into the Tenant Selection and Assignment Plan (TSAP) system.
Audit Findings and Conclusions
The HATS and TSAP systems are not integrated, which makes it difficult for NYCHA to reconcile differences in applicant information and other data in the systems. The lack of system integration and data reconciliation between the two systems may allow for manipulation of the data so that ineligible applicants could be deemed eligible and placed in NYCHA housing. Further, the audit found 3,920 instances in which applicants listed as certified in HATS should have appeared on the TSAP database but did not. This raises the possibility that eligible applicants might not have been offered NYCHA housing when it was available for them.
Additionally, we found a number of operational and application control weaknesses that may expose both systems to unauthorized access; however, our audit found no instances of unauthorized access to the HATS and TSAP systems. Among specific weaknesses were: NYCHA did not terminate the HATS and TSAP accounts of some former employees; there are no formal procedures to ensure that each active HATS user has only the necessary access and user privileges required to complete the designated tasks for that user’s job functions; and the HATS audit logs do not indicate the user IDs of employees who are allowed to make data changes. In addition, our audit found that NYCHA lacks formal procedures for making and documenting program changes to the TSAP system.
NYCHA responded that the discrepancies between the HATS Master File and TSAP Referral File primarily resulted from data-entry errors. However, considering the previously mentioned lack of controls and other weaknesses, we cannot presume that the discrepancies were made inadvertently. Further, the error rates as described later in this report range up to ten percent. Error rates of this magnitude diminish NYCHA’s ability to provide housing opportunities fairly and equitably to all who are eligible.
Audit Recommendations
To address these issues, we recommend that NYCHA:
• Create an electronic interface that would allow information from HATS to be sent to TSAP and also allow for system reconciliation.
• Review and correct the items mentioned in this report for both systems to ensure that the information in HATS and TSAP are consistent.
• Ensure that it terminates the access privileges of employees who have inactive HATS and TSAP accounts, as well as those of all former employees.
• Create a formal procedure for HATS that ensures the approved review of user privileges.
• Ensure that HATS audit logs identify the user ID of the person making changes to the system.
• NYCHA should create written procedures to ensure that only appropriate, authorized changes are made to TSAP application and system software.