Second Follow-up Audit Report on the Data Processing Controls and Procedures of the Department of Homeless Services

April 16, 2004 | 7F04-068

Table of Contents

    Audit Report In Brief

    This is a second follow-up audit to determine whether the New York City Department of Homeless Services (DHS) implemented the 12 recommendations made in the previous follow-up audit of data processing controls. In this report, we discuss the 12 recommendations from the prior audit in detail, as well as the implementation status of each recommendation.

    In Fiscal Year 2001, the Comptroller’s Office conducted a follow-up audit to evaluate the adequacy of the DHS data center’s disaster recovery plans, program-change control procedures, data-security procedures, physical-security procedures, and operational procedures for protecting DHS computer assets and information. The audit also assessed DHS compliance with the Comptroller’s Internal Control and Accountability, Guidelines for the Management, Protection and Control of Agency Information and Information Processing Systems (Directive 18).

    Of the 12 recommendations made in the previous follow-up audit, DHS implemented three, partially implemented three, and did not implement six.

    In this second follow-up audit, we found that DHS made improvements. DHS now complies with Comptroller’s Directive #10 because it records new equipment on the Financial Management System (FMS) Fixed Asset Inventory. Second, DHS made an improvement to keep unauthorized users from gaining access to the network by instituting a network-wide automatic time-out function. Third, the Department of Investigation approved an Internet Security Proposal. However, we found many of the same weaknesses that emerged in the previous audit. DHS still has neither formally documented nor updated its disaster recovery plan for the Office of Information Technology (OIT) staff and does not have an alternate site that is operational. In addition, written policies and procedures are incomplete because they do not address program-change controls and the monitoring of system access. Moreover, the DHS inventory of computer hardware is incomplete, and software inventory is still not tracked.

    To address the issues that still exist, we make the following recommendations, some of which we made in our earlier audits. DHS should:

    • Complete its Baseline Procedures Manual to include all administrative and operational policies and procedures for its computer environment, specifically those regarding network and Internet change control.
    • Create, implement, and periodically test a disaster recovery plan that reflects the current environment.
    • Establish an operational alternate processing and recovery site.
    • Compile an up-to-date, accurate inventory for all computer equipment and software.
    • Utilize the function within Microsoft 2000 to identify and disable unlicensed software.
    • Establish and enforce a policy that the OIT Security Administrator match the current list of user IDs on the network to personnel records, identify inactive employees, and disable the user IDs for those individuals.
    • Utilize the function within Microsoft 2000 to track system access violations.
    • Establish formal procedures to document and report system access violations, and review and follow up on all reported violations.
    • Establish written change-control procedures.
    • Establish a special project team, reporting to the Commissioner, whose ultimate goal would be to ensure that the deficiencies noted in this report are addressed and corrected.

    In conclusion, despite assurances from DHS officials that corrective action would be taken to address the issues raised in our two prior audit reports (issued on June 30, 1998, and January 25, 2001), many deficiencies still exist. Specifically, DHS still does not have: an operational alternate processing site; an updated disaster recovery plan; adequate inventory of computer hardware and software; and adequate policies and procedures for program-change controls and the monitoring of system access. Such weaknesses, if not addressed, increase the risk of unauthorized system access, business disruptions, misuse of sensitive data, and misappropriation of expensive equipment. Therefore, we also recommend that DHS establish a special project team, reporting to the Commissioner, whose ultimate goal would be to ensure that the deficiencies noted in this report are addressed and corrected.

    $311.35 billion
    Nov
    2025