Selected reports and information published by New York State's Comptroller Thomas P. DiNapoli on February 26, 2015
Click on text highlighted in color to access the full report
On February 26, 2015 New York State Comptroller Thomas P. DiNapoli announced that the following audits have been issued:
Department of Health (DOH): Medicaid Program: Medicaid Claims Processing Activity April 1, 2013 Through September 30, 2013 (2013-S-12)
DOH’s eMedNY computer system processes Medicaid claims submitted by providers for services rendered to Medicaid-eligible recipients, and it generates payments to reimburse the providers for their claims. During the six-month period ended Sept. 30, 2013, auditors identified over $5.6 million in inappropriate or questionable Medicaid payments. By the end of the audit fieldwork, auditors recovered about $2.3 million of the overpayments identified.
Department of Labor (DOL): Assessment and Collection of Selected Fees and Penalties (Follow-Up) (2014-F-19)
An initial report issued in May 2013, determined DOL had not collected about $3.8 million in fees and penalties for the Public Work Enforcement Fund, the boiler inspection program and the asbestos abatement program. Auditors also determined DOL does not have accurate records to show who is required to pay boiler inspection and asbestos-related project fees. In a follow-up, auditors found DOL has made substantial progress in addressing the issues identified in the initial report.
Metropolitan Transportation Authority (MTA): Headquarters and Capital Construction Travel and Entertainment Expenses (2013-S-47)
Auditors found MTA Headquarters and MTA Capital Construction have opportunities to strengthen controls over travel and entertainment, which could help reduce certain costs. For example, MTAHQ and MTACC could utilize federal travel guidelines (established by the U.S. General Services Administration and the U.S. Department of State) pertaining to maximum allowable lodging rates. Auditors found certain travel transactions lacked proper prior approvals, statements of purpose, or other required supporting travel documentation. Business office staff did not consistently ensure that all required approvals and supporting documents were included with employees’ travel expense reports.
New York City Department of Housing Preservation and Development (NYC HPD): Housing Preferences for Veterans (2014-F-14)
An initial report issued in June 2012 found that although the state Legislature had extended the right of preference for housing to many more veterans, few actually benefited due to inaction or disregard by housing companies and lax enforcement by NYC HPD. Auditors found two housing companies in Manhattan (Hamilton House and Clinton Towers) filled vacant apartments with non-veterans even though veterans had been identified on their waiting lists. In a follow-up report, auditors found NYC HPD has made progress in addressing the issues identified in the initial report and has implemented all three prior recommendations.
Office of Information Technology Services (OITS): Security and Effectiveness of Division of Criminal Justice Services’ (DCJS) Core Systems (2014-S-24)
Auditors found that OITS does not have an established monitoring and oversight process for user access management of DCJS systems and is not operating in compliance with state cyber security policies. OITS does not have established policies and procedures for backup of key DCJS systems. Also, ITS does not have an active regional backup site, and DCJS systems are at risk for total data loss in the event of a regional disaster. Auditors also found OITS does not have an established monitoring and oversight process for software or operating systems and changes made to these systems.
Office of Information Technology Services (OITS): Security and Effectiveness of the Department of Labor’s Unemployment Insurance System (2014-S9)
Auditors found the Unemployment Insurance System data has not yet been classified as required by the current security policy, even though 80 of the 83 unemployment insurance applications in use by the Labor Department have been deemed mission critical. The security policy indicates that all agency information should be classified on an ongoing basis based on its confidentiality, integrity, and availability. Almost two years after the transition of services, OITS still does not have a service level agreement in place governing responsibilities and services provided to human services agencies. Auditors also found that although mainframe programming changes are logged, there is no indication of when these changes have been implemented, thereby reducing accountability.
Office of Information Technology Services (OITS): Security and Effectiveness of Department of Motor Vehicles’ (DMV) Licensing and Registration Systems (2013-S-58)
Auditors found OITS and DMV are not in compliance with the payment card industry data security standards that govern the systems that process credit card transactions. Since January 2012, neither agency has completed and submitted a required self-assessment questionnaire or third-party compliance report, which are necessary to ensure that all risks have been properly identified and mitigated. Non-compliance also exposes the state to other risks ranging from extensive fines or penalties to business disruption due to cancelled accounts and the inability to accept credit card payments. OITS does not have an established monitoring and oversight process for user access management of DMV systems and is not operating in compliance with state cybersecurity policies.
An initial report issued in June 2012 found that although the state Legislature had extended the right of preference for housing to many more veterans, few actually benefited due to inaction or disregard by housing companies and lax enforcement by NYC HPD. Auditors found two housing companies in Manhattan (Hamilton House and Clinton Towers) filled vacant apartments with non-veterans even though veterans had been identified on their waiting lists. In a follow-up report, auditors found NYC HPD has made progress in addressing the issues identified in the initial report and has implemented all three prior recommendations.
Office of Information Technology Services (OITS): Security and Effectiveness of Division of Criminal Justice Services’ (DCJS) Core Systems (2014-S-24)
Auditors found that OITS does not have an established monitoring and oversight process for user access management of DCJS systems and is not operating in compliance with state cyber security policies. OITS does not have established policies and procedures for backup of key DCJS systems. Also, ITS does not have an active regional backup site, and DCJS systems are at risk for total data loss in the event of a regional disaster. Auditors also found OITS does not have an established monitoring and oversight process for software or operating systems and changes made to these systems.
Office of Information Technology Services (OITS): Security and Effectiveness of the Department of Labor’s Unemployment Insurance System (2014-S9)
Auditors found the Unemployment Insurance System data has not yet been classified as required by the current security policy, even though 80 of the 83 unemployment insurance applications in use by the Labor Department have been deemed mission critical. The security policy indicates that all agency information should be classified on an ongoing basis based on its confidentiality, integrity, and availability. Almost two years after the transition of services, OITS still does not have a service level agreement in place governing responsibilities and services provided to human services agencies. Auditors also found that although mainframe programming changes are logged, there is no indication of when these changes have been implemented, thereby reducing accountability.
Office of Information Technology Services (OITS): Security and Effectiveness of Department of Motor Vehicles’ (DMV) Licensing and Registration Systems (2013-S-58)
Auditors found OITS and DMV are not in compliance with the payment card industry data security standards that govern the systems that process credit card transactions. Since January 2012, neither agency has completed and submitted a required self-assessment questionnaire or third-party compliance report, which are necessary to ensure that all risks have been properly identified and mitigated. Non-compliance also exposes the state to other risks ranging from extensive fines or penalties to business disruption due to cancelled accounts and the inability to accept credit card payments. OITS does not have an established monitoring and oversight process for user access management of DMV systems and is not operating in compliance with state cybersecurity policies.