It Audit Division Audit Report On The Development And Implementation Of Capital Asset Management System By The Department Of Citywide Administrative Services

AUDIT REPORT IN BRIEF

This audit examined the development and implementation of the Capital Asset Management System by the Department of Citywide Administrative Services (DCAS). DCAS is responsible for ensuring that City agencies have the critical resources and support needed to provide the best possible services to the public. DCAS supports City agencies’ needs in recruiting, hiring, and training employees; provides overall facilities management, including security, maintenance, and construction services for 53 public buildings; purchases, sells, and leases non-residential real property; and purchases, inspects, and distributes supplies and equipment.

On September 1, 2003,¹ DCAS contracted with Aramark Facility Services, Inc., (Aramark) to provide a Web-based capital planning and management software system known as the Capital Asset Management System (CAMS). DCAS procured CAMS through a New York State Office of General Services, Building Commissioning and Asset Management Services contract. As part of the contract, DCAS agreed that Aramark could use Vanderweil Facility Advisors, Inc., (VFA) as its subcontractor. VFA was to provide a detailed and comprehensive facility and infrastructure condition assessment of the 53 public buildings that were under the custodianship of DCAS. CAMS is currently installed and maintained by VFA at the AT&T Internet Data Center in Boston, Massachusetts. DCAS has not formally accepted the system as being completed because the data that was collected by VFA for each building is currently under review by the Division of Facilities Management and Construction.

Audit Findings and Conclusions

We could not conclude that CAMS as a finished product meets the overall goals as stated in the system justification, nor can we determine whether it meets the initial business and system requirements as specified by DCAS. However, the system is operational. In addition, DCAS has not formally accepted the system as being completed, asserting that the system would be accepted once information in the database is fully reviewed. Further, as DCAS did not provide supporting documentation, we could not substantiate the accuracy of the CAMS data, thus leaving unanswered the potential exposure of DCAS to inaccurate information.

VFA currently operates CAMS at the AT&T Internet Data Center in Boston, Massachusetts; however, VFA’s disaster-recovery plan is not specific, and documentation of a comprehensive test for disaster recovery was not provided. Moreover, security assessments have not been performed. Also, DCAS representatives did not review the access privileges of individuals employed by VFA who had access to CAMS. Nor did DCAS review VFA operational procedures and controls to ensure they were in accord with acceptable City standards.

Finally, VFA followed a formal methodology when it installed CAMS; CAMS allows for future enhancements and periodic upgrades; and DCAS generally complied with the applicable City Charter provisions and PPB rules when procuring the system.

Audit Recommendations

To address these issues, we recommend that DCAS:

• Immediately perform an on-site review of VFA operation to ensure that VFA’s policies and procedures comply with DOI Directives.

• Request from VFA the primary elements of the disaster-recovery plan for the CAMS system; and

• Ensure that the disaster-recovery plan is tested in accordance with DOI Directives.

• Perform an initial security-risk assessment of CAMS and then each year thereafter or when a major change to the system application is implemented;

• Ensure adherence to applicable directives and standards identified during the security-risk assessment process; and

• Perform a security-risk assessment of the alternate hosting site, if one is under consideration.

• Create a formal procedure for DCAS and VFA for the periodic review of user privileges to ensure their appropriateness and make corrections as needed.