town of hurley audit

Upload: tony-adamis

Post on 05-Apr-2018

221 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/31/2019 Town of Hurley Audit

    1/30

    DIVISIONOF LOCAL GOVERNMENT

    & SCHOOL ACCOUNTABILITY

    O F F I C E O F T H E N E W YO R K ST A T E C O M P T R O L L E R

    Report of Examination

    Period Covered:

    January 1, 2010 August 10, 2011

    2012M-63

    Town of Hurley

    Internal Controls OverSelected Financial Operations

    Thomas P. DiNapoli

  • 7/31/2019 Town of Hurley Audit

    2/30

    11DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    Page

    AUTHORITY LETTER 2

    EXECUTIVE SUMMARY 3

    INTRODUCTION 5

    Background 5

    Objective 5

    Scope and Methodology 5

    Comments of Local Officials and Corrective Action 6

    PURCHASING 7

    Professional Services 7

    Quotations 8

    Conflict of Interest 9

    Recommendations 10

    INFORMATION TECHNOLOGY 12

    User Access Controls 12 Data Backup 14

    Disaster Recovery Plan 15

    Data Classification and Breach Notification Policy 15

    Personal, Private and Sensitive Information (PPSI) 16

    Online Banking 17

    Recommendations 18

    COMPLIANCE WITH WORKERS COMPENSATION REQUIREMENTS 20

    Recommendation 20

    APPENDIX A Response From Local Officials 21

    APPENDIX B OSC Comments on the Towns Response 24

    APPENDIX C Audit Methodology and Standards 25

    APPENDIX D How to Obtain Additional Copies of the Report 28

    APPENDIX E Local Regional Office Listing 29

    Table of Contents

  • 7/31/2019 Town of Hurley Audit

    3/30

    2 OFFICEOFTHE NEW YORK STATE COMPTROLLER2

    State of New York

    Office of the State Comptroller

    Division of Local Government

    and School Accountability

    July 2012

    Dear Town Officials:

    A top priority of the Office of the State Comptroller is to help local government officials manage

    government resources efficiently and effectively and, by so doing, provide accountability for

    tax dollars spent to support government operations. The Comptroller oversees the fiscal affairs of

    local governments statewide, as well as compliance with relevant statutes and observance of good

    business practices. This fiscal oversight is accomplished, in part, through our audits, which identify

    opportunities for improving operations and Town Board governance. Audits also can identify

    strategies to reduce costs and to strengthen controls intended to safeguard local government assets.

    Following is a report of our audit of the Town of Hurley, entitled Internal Controls Over Selected

    Financial Operations. This audit was conducted pursuant to Article V, Section 1 of the State Constitution

    and the State Comptrollers authority as set forth in Article 3 of the General Municipal Law.

    This audits results and recommendations are resources for local government officials to use in

    effectively managing operations and in meeting the expectations of their constituents. If you have

    questions about this report, please feel free to contact the local regional office for your county, as listed

    at the end of this report.

    Respectfully submitted,

    Office of the State ComptrollerDivision of Local Government

    and School Accountability

  • 7/31/2019 Town of Hurley Audit

    4/30

    33DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    Office of the State ComptrollerState of New York

    EXECUTIVE SUMMARY

    The Town of Hurley (Town) is located in Ulster County, comprises approximately 36 square miles,

    and has a population of approximately 6,600. The 2011 Town operating budget was $3.1 million,

    funded primarily through real property taxes. The Town provides various services to its residents,

    including general governmental support, street maintenance and improvements, snow removal, and

    refuse disposal. An elected five-member Town Board (Board) is the legislative body responsible for

    overseeing the Towns operations and finances.

    All Town financial data is stored and processed at the office of the Towns appointed accounting firm.

    The Town uses the services of an external consultant to provide support for its internal information

    technology system, which houses data from the Town Clerks office and the Building Department.

    Scope and Objective

    The objective of our audit was to examine the effectiveness of the Towns internal controls over

    procurement and information technology, and its compliance with the Workers Compensation Law

    for the period January 1, 2010 to August 10, 2011. Our audit addressed the following related questions:

    Did the Board ensure that the Town procured quality goods and services at the lowest cost

    possible?

    Did Town officials properly safeguard information technology resources?

    Did Town officials comply with requirements of New York States Workers Compensation

    and Disability Laws?

    Audit Results

    We found that Town officials did not procure any of the 10 professional services providers tested,

    who were paid $510,419, through a request for proposals (RFP) or any form of competitive process.

    This occurred because the Towns procurement policy does not require use of competitive methods,

    such as RFPs, when procuring professional services. In addition, the Board did not enter into written

    agreements with nine of these providers. Town officials did not obtain the required quotations for

    purchases totaling $26,254 from six of 12 vendors tested. As a result, Town officials may not have

    obtained services at the best prices and may have paid for services not agreed upon.

  • 7/31/2019 Town of Hurley Audit

    5/30

    4 OFFICEOFTHE NEW YORK STATE COMPTROLLER4

    We identified two Board members with conflicts of interests in Town contracts. One Board member

    had a prohibited interest in a contract when an agreement for a five-year seasonal lease of real estate1

    totaling $12,500 was executed with the Town. Although the Board member annually disclosed his

    interest and abstained from votes related to the agreement, the Board member was a member-manager

    of the firm that owned the property, and had a prohibited interest in the lease. The spouse of a second

    Board member is a Vice President and 30 percent owner of the corporation that provides engineering

    and land surveying services to the Town. The Board member did not disclose, in writing, her spouses

    interest in the contract with the Town to the Board in 2010 or 2011, as required. The Town paid this

    firm $79,644 during the audit period. Abstention from voting did not eliminate the need to comply

    with the statutory requirement of public disclosure. When Town officials, in their private capacities,

    conduct business with the Town for which they serve, the public may question the appropriateness

    of the transactions. Such transactions may create an actual conflict of interest or the appearance of

    impropriety and/or may result in improper enrichment at taxpayers expense.

    We also found weaknesses in the Towns IT controls which increase the risk of unauthorized changes

    to data and potentially costly disruptions to the Towns operations that could result in the loss of data.

    These weaknesses include multiple users with administrative rights, and the lack of formal policies

    and procedures for adding, deleting, updating, and monitoring network user accounts, and backingup data. In addition, the Board has not developed a data recovery plan or a breach notification policy

    which is required by law. Further, by failing to adopt an information breach notification policy, in the

    event that private information is compromised, Town officials and employees may not be prepared to

    fulfill their legal obligation to notify affected individuals. Town officials began taking steps to remedy

    the deficiencies we identified.

    Finally, Town officials need to improve compliance with New York State Workers Compensation

    Law. Town officials did not obtain and maintain proof of workers compensation and disability

    benefits insurance for 13 of the 15 vendors we tested, who were paid $252,599 during the audit period.

    Verification of insurance is necessary to ensure benefits are available, should workers get injured.

    It also levels the playing field, because it prevents employers from gaining a cost advantage by notcarrying insurance. Further, it reduces the Towns liability in the event of an accident or injury.

    Comments of Local Officials

    The results of our audit and recommendations have been discussed with Town officials and their

    comments, which appear in Appendix A, have been considered in preparing this report. Except as

    indicated in Appendix A, Town officials generally agreed with our findings and indicated they have

    already initiated, or plan to initiate, corrective action. Appendix B includes our comments on issues

    Town officials raised in their response.

    1 The lease was for $2,500 for each offive years.

  • 7/31/2019 Town of Hurley Audit

    6/30

    55DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    Background

    Introduction

    Objective

    Scope and

    Methodology

    The Town of Hurley (Town) is located in Ulster County, comprises

    approximately 36 square miles, and has a population of approximately

    6,600. The 2011 Town operating budget was $3.1 million, funded

    primarily through real property taxes. The Town provides variousservices to its residents, including general governmental support,

    street maintenance and improvements, snow removal, and refuse

    disposal.

    An elected five-member Town Board (Board) is the legislative body

    responsible for overseeing the Towns operations and finances.

    The Board consists of the Town Supervisor (Supervisor) and four

    Board members. The Board is responsible for the overall financial

    management of the Town, including establishing appropriate internal

    controls and safeguarding assets. The Supervisor is the chiefexecutive officer and chieffiscal officer, and is responsible, along

    with other administrative staff, for the day-to-day management of the

    Town under the direction of the Board.

    All Town financial data is stored and processed at the office of the

    Towns appointed accounting firm. The Town uses the services of

    an external consultant to provide support for its internal information

    technology system, which houses data from the Town Clerks office

    and the Building Department.

    The objective of our audit was to examine the effectiveness ofthe Towns internal controls over procurement and information

    technology, and its compliance with the Workers Compensation

    Law. Our audit addressed the following related questions:

    Did the Board ensure that the Town procured quality goods

    and services at the lowest cost possible?

    Did Town officials properly safeguard information technology

    resources?

    Did Town officials comply with requirements of New York

    States Workers Compensation and Disability Laws?

    We examined the Towns internal controls over purchases not subject

    to competitive bidding requirements, information technology, and

    compliance with the Workers Compensation Law for the period

    January 1, 2010 to August 10, 2011.

  • 7/31/2019 Town of Hurley Audit

    7/30

    6 OFFICEOFTHE NEW YORK STATE COMPTROLLER6

    We conducted our audit in accordance with generally accepted

    government auditing standards (GAGAS). More information on such

    standards and the methodology used in performing this audit are

    included in Appendix C of this report.

    The results of our audit and recommendations have been discussed

    with Town officials and their comments, which appear in Appendix

    A, have been considered in preparing this report. Except as indicated

    in Appendix A, Town officials generally agreed with our findings and

    indicated they have already initiated, or plan to initiate, corrective

    action. Appendix B includes our comments on issues Town officials

    raised in their response.

    The Board has the responsibility to initiate corrective action. A

    written corrective action plan (CAP) that addresses the findings and

    recommendations in this report should be prepared and forwarded

    to our office within 90 days, pursuant to Section 35 of the General

    Municipal Law. For more information on preparing and filing yourCAP, please refer to our brochure, Responding to an OSC Audit

    Report, which you received with the draft audit report. We encourage

    the Town Board to make this plan available for public review in the

    Clerks office.

    Comments of

    Local Officials and

    Corrective Action

  • 7/31/2019 Town of Hurley Audit

    8/30

    77DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    Purchasing

    The Board is responsible for ensuring that the Town purchases the

    desired quality and quantity of goods and services at the lowest cost.

    General Municipal Law (GML) requires the Board to adopt written

    policies and procedures for the procurement of goods and servicesthat are not subject to competitive bidding, to ensure that the Town

    obtains goods and services from qualified providers at the most

    economical costs.

    Town officials did not procure any of the 10 professional services

    providers tested, who were paid $510,419, through any form of

    competitive process. This occurred because the Towns procurement

    policy does not require use of competitive methods, such as a request

    for proposal (RFP), when procuring professional services. In addition,

    the Board did not enter into written agreements with nine of theseproviders. Town officials did not obtain the required quotations for

    purchases totaling $26,254 from six of 12 vendors tested. We also

    found that two Board members had conflicts of interests in Town

    contracts. As a result of these weaknesses, Town officials cannot

    be assured that they obtained goods and services at the best price

    possible in compliance with applicable laws and the Towns policy.

    Competitive bidding is not required for the procurement of professional

    services which involve specialized skill, training and expertise;

    use of professional judgment or discretion; and/or a high degree of

    creativity. However, use of a competitive method, such as an RFPprocess, helps ensure the prudent and economical use of taxpayer

    moneys. In addition, written agreements between the Town and

    professional service providers give both parties a clear understanding

    of the services expected and the compensation for those services.

    Written agreements also serve as a source document for the Board to

    use in the audit and approval of claims for payment.

    Town officials did not use RFPs or quotations to solicit competition

    for professional services. The Town paid $528,428 to 15 professional

    services providers during our audit period. We selected a sample

    of 10 of the 15 professional services providers2 who were paid

    $510,419. The providers included: engineering $79,644, consulting

    $157,551, attorneys $107,333, accounting $76,141, insurance and

    benefits administration $89,750. Town officials did not procure any

    of the 10 professional services providers tested through an RFP or

    any form of competitive process. This occurred because the Towns

    Professional Services

    2 We judgmentally selected the providers who were paid more than $10,000 during

    our audit period.

  • 7/31/2019 Town of Hurley Audit

    9/30

    8 OFFICEOFTHE NEW YORK STATE COMPTROLLER8

    procurement policy does not require competition for the acquisition

    of professional services, except when directed by the Board. Without

    seeking appropriate competition prior to selecting professional

    service providers, Town officials may not have obtained services at

    the best prices.

    We reviewed payments totaling $510,419 made to the 10 providers

    during the audit period to determine if the providers submitted properly

    detailed invoices and were paid at authorized rates. One provider,

    who was paid $28,852, billed at an hourly rate that was $5 more

    than the Board-authorized rate and also billed for mileage, although

    mileage reimbursement was not included in the approving resolution.

    Therefore, the Town overpaid this provider $1,764. In addition, three

    providers, who were paid $161,286, submitted invoices that were

    not sufficiently itemized and lacked detail including dates and hours

    worked. For example, invoices submitted by an engineering firm, an

    attorney and a consultant listed service covering periods ranging from

    nine days to over a month. Without specific dates on the invoices, thecharges could not be verified to Town records.

    These deficiencies occurred because the Board did not enter into

    written agreements with nine of the providers tested. Furthermore,

    there were no rate agreements (either written or by resolution) for the

    services offive of the 10 providers, who were paid $195,503 during

    the audit period. Without such documentation, Town officials could

    not be assured that the Town received the services for which it paid.

    Without written agreements establishing the services to be provided

    and the fees to be paid, the Town is vulnerable to misunderstandingsthat may affect the level of service and/or the fees charged. Further,

    without documented approvals, there is no way for the Board to

    properly audit claims and determine if the fees charged were correct

    and for properly authorized services.

    The Towns procurement policy requires written and/or documented

    verbal quotations for purchase contracts that are less than $10,000

    and public works contracts that are less than $20,000, with

    certain exceptions including acquisition of professional services,

    emergencies, sole source situations, and goods purchased fromanother governmental agency. The policy requires that the quotations

    and related information gathered are maintained and filed.

    Town officials did not comply with the quotes requirements in

    the procurement policy. We judgmentally selected3 15 purchases

    requiring quotations, totaling $53,010, for adherence to the Towns

    Quotations

    3 See Appendix C, Audit Methodology and Standards, for details on our sample

    selection.

  • 7/31/2019 Town of Hurley Audit

    10/30

    99DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    procurement policy. Town officials appropriately utilized County

    contracts for two purchases and purchased one item from another

    municipality. However, none of the remaining 12 purchases tested

    totaling $42,175 had quotations attached to claims packets. We

    subsequently located documentation of quotations for six purchases

    totaling $15,921 in Highway Department files. Town officials had not

    obtained quotations for the remaining six purchases totaling $26,254,

    which included the purchase of a truck plow kit for $6,183 and the

    purchase of heating fuel oil totaling $2,577.

    The failure to abide by and monitor compliance with the Towns

    procurement policy increases the risk that goods or services will not

    be obtained at the lowest possible price and that public moneys will

    not be used in the best interest of taxpayers.

    Local governments should have a formal system in place to ensure

    compliance with the conflict of interest provisions of GML.4 GML

    limits the ability of Town officials and employees to enter intocontracts in which both their personal financial interests and their

    public powers and duties conflict. With certain exceptions, local

    officials and employees are prohibited from having an interest in a

    contract with the municipality for which they serve when they also

    have the power or duty, either individually or as a member of a board,

    to (1) negotiate, prepare, authorize or approve the contract; (2) to

    authorize or approve payment under the contract; (3) to audit bills

    or claims under the contract; or (4) to appoint an officer or employee

    with any of those powers or duties. GML provides an exception

    under certain conditions when a municipality enters into a purchase

    or leasehold interest of real estate.

    A local official or employee has an interest in a contract when he

    or she receives a direct or indirect monetary or material benefit as

    a result of the contract. An official or employee is also deemed to

    have an interest in the contracts of his or her spouse, minor children

    and dependents (except employment contracts); firms, partnerships,

    or associations of which he or she is a member or employee; and

    corporations of which he or she is an officer, director, or employee, or

    directly or indirectly owns any stock. As a rule, interests in actual or

    proposed contracts on the part of a Town offi

    cial or employee, or hisor her spouse, must be publicly disclosed in writing to the officials

    or employees immediate supervisor and to the Board, and included

    in the official minutes of the Board proceedings.

    The Board adopted an amended code of ethics for all Town officials

    and employees in May 2007, which, among other things, prohibited

    conflicts of interest, and established a Board of Ethics. However,

    Conflict of Interest

    4 General Municipal Law Article 18

  • 7/31/2019 Town of Hurley Audit

    11/30

    10 OFFICEOFTHE NEW YORK STATE COMPTROLLER10

    neither the Town Board nor its Board of Ethics effectively monitored

    whether Board members were complying with the code. We found that

    two Board members had arrangements with the Town that resulted in

    conflicts of interest, one of which was a prohibited interest.

    One Board member had a prohibited interest in a contract when an

    agreement, dated November 1, 2009, for a five-year seasonal lease5

    of real estate totaling $12,500 was executed with the Town. Although

    the Board member annually disclosed his interest and abstained from

    votes related to the agreement, the Board member was a member-

    manager of the firm that owned the property, and had a prohibited

    interest in the lease unless a statutory exception applied. GML provides

    an exception when a municipality purchases real property, including

    a leasehold interest, so long as the purchase and consideration are

    approved by an order of the State Supreme Court upon petition of

    the governing board. This exception did not apply because the Town

    Board did not obtain such an order.

    The second conflict occurred because the spouse of a Town Board

    member is a Vice President and 30 percent owner of the corporation

    that provides engineering and land surveying services to the Town.

    The Town paid this firm $79,644 during the audit period. The Board

    member abstains from votes relating to issues between the Town and

    the engineering firm, and was not found to have a direct interest in

    the contracts. However, because the Board members spouse has an

    interest in the contracts, the Board member is required to disclose, in

    writing, his or her spouses interest in the contracts6 with the Town to

    the Board. There was no written disclosure made during 2010 or 2011

    by the Board member. Abstention from voting does not eliminate theneed to comply with the statutory requirement of public disclosure.

    These conflicts occurred because the Town Board and the Town

    Ethics Board believed that they were complying with the law

    since the two Board members abstained from voting. When Town

    officials, in their private capacities, conduct business with the Town

    for which they serve, the public may question the appropriateness

    of the transactions. Such transactions may create an actual conflict

    of interest or the appearance of impropriety and/or may result in

    improper enrichment at taxpayers expense.

    1. Town officials should consider including a requirement in the

    Towns procurement policy that competitive methods such as

    RFPs be used to obtain professional services.

    5 The lease was for $2,500 for each offive years.6 GML Section 803[1]

    Recommendations

  • 7/31/2019 Town of Hurley Audit

    12/30

    1111DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    2. Town officials should require written agreements with all

    professional service providers be executed detailing the service(s)

    to be provided and terms of compensation.

    3. Town officials should monitor and enforce compliance with the

    Towns procurement policies to ensure that written and verbal

    quotes are obtained and documented, as required.

    4. Town officials should take immediate action to resolve the existing

    prohibited conflict of interest.

    5. Town officials should ensure that all officials and employees are

    familiar with the requirements of Article 18 of General Municipal

    Law and the Town Ethics and Disclosure Law as they relate

    to conflicts of interest, and enforce annual public disclosure

    requirements.

  • 7/31/2019 Town of Hurley Audit

    13/30

  • 7/31/2019 Town of Hurley Audit

    14/30

    1313DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    Administrative Rights The system administrator function allows

    the assignment of user access rights as needed for employees job

    duties. Administrator-level access also allows the downloading and

    installation of software, which must be strictly controlled. Prohibiting

    the installation of unauthorized software by system users is a crucial

    step in preventing potentially harmful software from infecting

    Town computers. Unauthorized programs could transfer personal or

    sensitive information to outside networks, slow down or bring down

    the network, and introduce viruses, spyware, and software that is

    not properly screened for current technological threats. Proper system

    administration includes controls to prevent unauthorized downloads

    and procedures for obtaining approval of any exceptions.

    Although the Towns computer policy prohibits the installation

    or use of any hardware or software not owned by the Town, staff

    computers are not restricted, and users can download and install

    hardware and software. We tested five of the most actively used Town

    employee workstations7

    and found that all five Town employeeshave administrative rights to the system. Although employees

    access to some software applications is restricted according to job

    function, the ability to potentially download and install unauthorized

    software increases the risk that sensitive or critical data may be lost

    or compromised. Our tests of four workstations showed that all four

    computers had inappropriate security settings that did not enforce

    Town policy. In addition, we reviewed installed software on seven

    workstations and identified two inappropriate programs (a program

    that showed passwords hidden under asterisks and a program that

    erases internet history) on one computer. When we advised the

    Supervisor of the inappropriate programs, he arranged for theirremoval.

    User Access Access to computer operations must be restricted to only

    those functions required by individual employees job descriptions

    and/or official duties, and when granted, needs to preserve proper

    segregation of duties. The responsibility of individual users should be

    analyzed to determine what type of application access (for example,

    read, enter, modify, delete) users need to fulfill their responsibilities.

    Strong access controls restrict access only to these authorized

    functions.

    The Town does not have formal policies and procedures for the

    addition, deletion, or modification of network user accounts, and

    access to certain applications in the Town Clerks office was not

    sufficiently restricted. The Supervisor verbally instructs the IT

    7 Supervisor, Secretary to the Supervisor, Town Clerk, Deputy Clerk, Code

    Enforcement Officer

  • 7/31/2019 Town of Hurley Audit

    15/30

    14 OFFICEOFTHE NEW YORK STATE COMPTROLLER14

    Consultant to add or delete user access, and the Consultant did not

    always disable separating employees computer and email access in a

    timely manner. We also identified deficiencies with authorization and

    level of access to applications in the Town Clerks office.

    Two Deputy Clerks share one user ID to access an application in

    the Town Clerks office to be used by the Town Registrar; however,

    only one Deputy Clerk is appointed as Town Registrar. Therefore,

    both Deputy Clerks do not need access to this application. In another

    instance, we found that three Deputy Clerks had unrestricted access to

    a tax software application, even though the Tax Collector (who also is

    the Town Clerk) was the only one updating data. These inappropriate

    access rights occurred because the software was improperly set

    up, and Town officials did not generate or review access or report

    logs. Because the software allows access beyond what is necessary

    for an individuals assigned duties, the Town is at an increased risk

    that inappropriate, unauthorized transactions could be initiated and

    remain undetected and uncorrected. When we brought this to herattention, the Town Clerk immediately initiated action to correct

    access to the tax software application.

    It is important for the Town to ensure that data stored on computers

    and servers is backed up (i.e., a duplicate copy of information made)

    routinely to enable restoration in the event of a loss. Effective written

    backup procedures include provisions for maintaining multiple back-

    up copies and storing these copies in a secure off-site location, as

    well as assignment of responsibility. Periodic testing and restoration

    of backups assures viability of data.

    Data on Town employees computers is stored on a server located in

    the Town Hall, which is backed up to an external hard drive stored

    in a locked server room. Off-site incremental backups are done

    by an online service provider, and the Town uses an IT Consultant

    who verifies successful completion of backups at least quarterly.

    Additionally, the Towns financial data is entered, processed and

    stored at its accountants office; the accountant generates financial

    reports for the Boards use.

    Although nightly backups are routinely performed, they are donewithout verification of successful completion. There are no

    procedures to ensure that nightly server backups are successful or that

    the data on the backups can be successfully restored. Not ensuring a

    full backup is removed to a secure offsite location subjects the data to

    many of the same risks (disasters). The IT Consultant does not verify

    viability of the backups during periodic visits.

    Data Backup

  • 7/31/2019 Town of Hurley Audit

    16/30

    1515DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    There were some files excluded from incremental backup by the on-

    line service provider, and neither Town officials nor the IT Consultant

    could provide an explanation. Town officials do not receive periodic

    backups of the Towns financial data entered and processed by

    their accountant, and do not have an agreement detailing backup or

    security procedures used by the firm. Damage or loss to computer

    systems or data caused by third parties is not covered by the Towns

    insurance policy, and the Town is not named as additional insured on

    the liability insurance policies of the IT consultant or accountant.

    By relying on third party providers, Town officials have not

    sufficiently addressed the Towns IT risks, or developed written

    policies and procedures for data backup and restoration. If Town

    systems were compromised, the Town could lose essential

    information which may not be recoverable, or incur unreimbursed

    expenses for restoration of systems or repair, or replacement of

    equipment.

    A disaster recovery plan is intended to identify and describe how

    Town officials plan to deal with potential disasters. Such disasters

    may include any sudden, catastrophic event (e.g., fire, computer

    virus, or deliberate or inadvertent employee action) that compromises

    the availability or integrity of the IT system and data. Contingency

    planning to prevent loss of computer equipment and data and the

    procedures for recovery in the event of an actual loss are crucial to an

    organization. The plan needs to address the roles of key individuals

    and include the precautions to be taken to minimize the effects of a

    disaster so officials and responsible staff will be able to maintain or

    quickly resume day-to-day operations.

    The Board has not adopted a disaster recovery plan. Therefore, in the

    event of a disaster, Town personnel have no guidelines or plan to help

    minimize or prevent the loss of equipment and data, or to provide

    guidance for implementing data recovery procedures. As a result, the

    Towns IT assets are at increased risk of loss or damage, and there

    could be potentially costly disruptions to its critical operations.

    Data classification is the process of systemically assigning a level

    of sensitivity to data. It is an important step because not all sensitivedata are equally risky or require the same level of safeguards. Data

    classification requires knowing where data are collected, processed,

    transmitted, stored and/or reported and understanding the nature

    of that information. A common classification scheme includes the

    categories for public, internal use, confidential, personal and restricted

    confidential information. Once identified, data are categorized, which

    helps to determine the extent which they need to be secured. The

    internal controls that are established over data are generally based

    Disaster Recovery Plan

    Data Classification and

    Breach Notifi

    cation Policy

  • 7/31/2019 Town of Hurley Audit

    17/30

    16 OFFICEOFTHE NEW YORK STATE COMPTROLLER16

    on the harm that could result to individuals and/or the Town if the

    information were to be inappropriately accessed, used or disclosed.

    Such data contained in data bases should always be encrypted.

    An individuals private and/or financial information, along with

    confidential business information, could be severely impacted if

    security is breached or data is improperly disclosed. New York StateTechnology Law requires cities, counties, towns, villages, and other

    local agencies to establish an information breach notification policy.

    The policy should detail how the Town would notify individuals

    whose private information was, or is reasonably believed to have

    been, acquired by a person without a valid authorization. The

    disclosure should be made in the most expedient time possible and

    without unreasonable delay, consistent with the legitimate needs of

    law enforcement or any measures necessary to determine the scope

    of the breach and restore the reasonable integrity of the data system.

    Town officials informed us that they have not classified their data, andthe Town has not adopted a breach notification policy. By failing to

    classify data and protect data on workstations and the server, resident

    and taxpayer information may be at unnecessary risk. Further, by

    failing to adopt an information breach notification policy, in the

    event that private information is compromised, Town officials and

    employees may not be prepared to fulfill their legal obligation to

    notify affected individuals.

    Towns collect, transmit and store a considerable amount of PPSI in

    the normal course of business. PPSI, as defined by the New York State

    Office of Cyber Security and Critical Infrastructure Coordination, is

    any information that access, disclosure, modification, destruction,

    or disruption of could significantly impact an organization or

    third parties. Changes in the regulatory environment have created

    requirements for the handling of specific types of information. Good

    governance and accountability require that local governments protect

    PPSI from unauthorized access or use regardless of the format in

    which it is collected, transmitted and stored.

    We identified a number of issues relating to PPSI:

    Town officials have not established procedures to safeguard

    the storage and transport of sensitive and confidential data.

    PPSI has not been reviewed and categorized by the Town or

    the Towns IT consultant.

    The data stored on the Towns server and backup hard drive is

    not stored in an encrypted format.

    Personal, Private and

    Sensitive Information

    (PPSI)

  • 7/31/2019 Town of Hurley Audit

    18/30

    1717DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    The software used by the Town Clerks office to issue licenses

    that include PPSI is not encrypted.

    Town officials have not taken measures to ensure that

    sensitive data stored on the accountants server is secured.

    The Town Supervisor is not aware of security measuresenacted by the accounting firm for the Towns PPSI data that

    include employee retirement membership numbers, social

    security numbers, or vendor 1099 information.

    Because Town officials have not established a formal security plan

    addressing PPSI, the Town is at an increased risk of access and

    misuse of confidential information by unauthorized individuals.

    Online banking provides a means of direct access to moneys held

    in the Towns accounts. It is an immediate way to review current

    account balances and account information, review recent transactions,and transfer moneys between bank accounts. Because of this access,

    adequate controls need to be established.

    Written Policy The Town should have a comprehensive written

    policy for online banking. This policy should include, but not be

    limited to, the following: the online banking functions (i.e., read-

    only, electronic transfer, wire transfer, etc.) that will be used by each

    employee with access to online banking, the employee permitted to

    authorize transactions, the employee who will record transactions,

    the employee who will review and reconcile transactions, and the

    procedures that will be followed when responding to potential

    fraudulent activity.

    The Town does not have a formal online banking policy. Without

    a policy, the Town is at increased risk that inappropriate or

    unauthorized transactions will be initiated.

    Banking Agreement The Town should have an online banking

    agreement with each bank that provides those services. Per General

    Municipal Law,8 this agreement should prescribe the manner in which

    electronic or wire transfers will be accomplished, identify the namesand numbers of the bank accounts from which electronic transfers or

    wire transfers may be made, identify which individuals are authorized

    to request an electronic or wire transfer of funds, and implement a

    security procedure as defined in Uniform Commercial Code, section

    4-A-201.

    Online Banking

    8 General Municipal Law Section 5-a.

  • 7/31/2019 Town of Hurley Audit

    19/30

    18 OFFICEOFTHE NEW YORK STATE COMPTROLLER18

    There is no separate online banking agreement between the Town

    and its bank there is only a master agreement that neither identifies

    the names and numbers of the bank accounts from which electronic

    transfers can be made, nor identifies the individuals authorized to

    request them. There is no independent confirmation of activity by

    the bank. Town officials use the online banking services program in

    a limited manner; the accounts are available for viewing activity and

    making transfers between accounts the wire transfer module is not

    enabled. We identified and traced a total of 20 electronic transfers

    totaling $12,901,039 from source to destination accounts, and

    confirmed the purpose of the transfers were appropriate.

    Restriction of Online Banking Accounts Segregation of duties within

    elected positions impose a distinction between the responsibilities

    of the Town Supervisor, Town Clerk and Tax Collector. The Town

    Supervisor (in conjunction with the Board) has the obligation to audit

    various departments, but should not have access to other department

    funds until the funds are remitted to the Supervisor.

    The Town Supervisor has the ability to view and transfer from

    accounts that exceed his authority. View access is available with

    the Town Supervisors user ID and password for accounts captioned

    Justice Parker checking, Town Clerk other, Town Justice checking,

    Town Supervisor checking and Town Supervisor savings. The

    Supervisor can select from four accounts to transfer funds from and

    into; these are captioned Town Supervisor checking, Town Supervisor

    savings, Tax Collector checking and Tax Collector savings.

    The Supervisors online banking access to view or transfer fundsshould be limited to accounts for which he is responsible. Town

    officials may wish to revisit the decision to have online banking

    services available for the accounts of the Tax Collector and Town

    Clerk because the unused service and internet connection present a

    security risk.

    6. Town officials should assess and review administrative

    designations on workstations, disable access where appropriate,

    and implement electronic controls to restrict the workstation

    users ability to install unauthorized software or hardware.

    7. Town officials should establish formal procedures for adding and

    deleting network user accounts.

    8. The Town Clerk should contact the software application provider

    to ensure that separate user IDs and appropriate levels of access

    are established for each Deputy Clerk.

    Recommendations

  • 7/31/2019 Town of Hurley Audit

    20/30

    1919DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    9. Town officials should develop and adopt relevant policies and

    establish procedures for backups including data viability testing

    and restoration of backups on a regular basis.

    10. Town officials should ensure that a backup of the Towns server is

    stored offsite. Town officials also should ensure, through a written

    agreement with the accounting firm, that they have either physical

    access to the backups of the Towns financial data or confirmation

    of the accounting firms processes to backup and protect Town

    financial data on its servers.

    11. Town officials should ensure that all files intended for online

    backup are properly designated.

    12. Town officials should ensure that the Town is named as additional

    insured by all vendors with access to Town data.

    13. Town officials should develop a disaster recovery plan thataddresses the range of threats to the Towns IT system, distribute

    the plan to all responsible parties, and ensure that the plan is

    periodically tested and updated as needed.

    14. Town officials should adopt a breach notification policy in

    compliance with New York State Technology Law.

    15. Town officials should identify and classify PPSI, and ensure that

    sensitive data is encrypted on Town servers and that sensitive data

    stored on servers at offsite locations is properly handled.

    16. Town officials should establish a comprehensive written policy

    for online banking that adequately addresses all online banking

    functions.

    17. Town officials should require that an online banking agreement

    be established that identifies the names and numbers of the bank

    accounts from which electronic transfers may be made, and

    identification of the individual(s) authorized to initiate transfers.

  • 7/31/2019 Town of Hurley Audit

    21/30

    20 OFFICEOFTHE NEW YORK STATE COMPTROLLER20

    Compliance With Workers Compensation Requirements

    Workers Compensation Law requires the heads of all municipal

    entities to ensure that businesses applying for contracts carry

    workers compensation and disability benefits insurance. This

    requirement applies to both original issuances and renewals, whetherthe municipal entity is having the work done or is simply issuing the

    contract.

    We identified 35 contracts that involved potentially hazardous work

    during the audit period, and judgmentally selected those vendors who

    received the higher payments and who performed the work on site in

    the Town. We selected a total of 15 contracts for further testing. These

    15 contract vendors were paid a total of $266,653 during the audit

    period. The Town had evidence of appropriate workers compensation

    and disability benefi

    ts insurance onfi

    le for only two of the 15 vendorstested; one vendors certificate expired before the end of the year.

    The Town did not have workers compensation and disability benefits

    insurance on file for 13 vendors who were paid $252,599.

    Verification of insurance is necessary to ensure benefits are available,

    should workers get injured. It also levels the playing field, because

    it prevents employers from gaining a cost advantage by not carrying

    insurance. Further, it reduces the Towns liability in the event of an

    accident or injury.

    18. Town officials should comply with the Workers CompensationLaw and provide staff with appropriate procedures to be followed

    to secure the required documents. These procedures should

    include types of vendors and insurance required, deadlines

    for receiving the documents, and compliance procedures if the

    required documents are not provided.

    Recommendation

  • 7/31/2019 Town of Hurley Audit

    22/30

    2121DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    APPENDIX A

    RESPONSE FROM LOCAL OFFICIALS

    The local officials response to this audit can be found on the following pages.

  • 7/31/2019 Town of Hurley Audit

    23/30

    22 OFFICEOFTHE NEW YORK STATE COMPTROLLER22

    See

    Note 1Page 24

    See

    Note 2

    Page 24

  • 7/31/2019 Town of Hurley Audit

    24/30

    2323DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    Se

    No

    Pa

    Se

    No

    Pa

  • 7/31/2019 Town of Hurley Audit

    25/30

    24 OFFICEOFTHE NEW YORK STATE COMPTROLLER24

    APPENDIX B

    OSC COMMENTS ON THE TOWNS RESPONSE

    Note 1

    Town officials are mistaken. We do not have a past practice of removing findings if they are corrected

    prior to the end of our audit. Our reports discuss deficiencies that exist during the audit scope period

    and acknowledge changes and improvements made by Town officials during and subsequent to the

    completion of audit fieldwork.

    Note 2

    Subsequent to the completion of our audit fieldwork, the Supervisor sent us a written agreement

    for one of the nine vendors discussed in the report. We did not receive written agreements for the

    remaining eight vendors. Town officials also provided us with one letter of rates charged by a vendor

    that was not signed by the Board to indicate its acceptance.

    Note 3

    We did not dispute the efficiency of the Towns use of the shed. Our report states that, to comply with

    the law, the lease must be approved via an order of the State Supreme Court upon the Boards petition.

    At the time of our audit, there was no such Supreme Court order. The Town has apparently decided to

    discontinue the lease rather than petition the Supreme Court.

  • 7/31/2019 Town of Hurley Audit

    26/30

    2525DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY

    APPENDIX C

    AUDIT METHODOLOGY AND STANDARDS

    Our overall goal was to access the adequacy of the internal controls put in place by officials to

    safeguard Town assets. To accomplish this, we interviewed appropriate Town officials and reviewed

    pertinent documents such as Board minutes, Town local laws, Town Employee Handbook, General

    Municipal Law, Workers Compensation Law, and State Technology Law. We designed our audit to

    focus on those areas most at risk.

    Purchasing:

    When testing purchasing and ethics laws, we performed the following procedures:

    We interviewed Town and department officials and employees and reviewed available

    documents.

    We reviewed electronic disbursement data and quantified the number of professional service

    providers used by the Town and the total dollar amount paid for professional services during

    our audit period.

    We determined the population sample and judgmentally selected for audit those professional

    service providers paid more than $10,000 during the audit period.

    We obtained paid vouchers, requested written agreements, and compared rates paid to

    agreements or approvals in Board minutes.

    We reviewed electronic disbursement data and quantified the number of purchases and totaldollar amounts for which quotations were required per the Towns procurement policy during

    the audit period.

    Using the total population, we selected an audit sample of 15. We began with a random sample

    starting with number five of the population count, and selected every 5th paid voucher. We

    later revised it to a judgmental sample as we eliminated purchases from duplicate vendors or

    purchases that did not meet our objective and replaced them with judgmental selections.

    We reviewed the vouchers in our audit sample to determine if designation of purchase under

    New York State or Ulster County Contract was indicated, if quotations obtained prior to the

    purchase were attached, or a sole source designation was indicated.

    We obtained and examined responses to our conflict of interest inquiries, reviewed Board

    minutes and Town Clerk records for submitted annual disclosures, initiated email correspondence

    to Board members to obtain clarifying information, obtained a copy of an executed leasehold

    agreement, reviewed paid vouchers, and consulted with our Legal Department.

  • 7/31/2019 Town of Hurley Audit

    27/30

    26 OFFICEOFTHE NEW YORK STATE COMPTROLLER26

    Information Technology:

    When testing information technology, we performed the following procedures:

    We interviewed Town officials and employees regarding the Towns information technology

    system and environment.

    We interviewed the IT consultant and the accountant, who are both third party providers,

    regarding the Towns information technology system, data, and environment.

    We reviewed the Employee Handbooks Computer Systems and Internet/On-Line Service

    Policy.

    We used an analytical program to examine controls to determine if sensitive information was

    at risk due to improper settings or contained unauthorized software.

    We examined workstation users and groups, and examined controls over network accounts and

    passwords for Town employees and third-party support technicians.

    We examined controls over application user accounts and user access to software applications

    used at the Town.

    We interviewed Town officials and a representative from the IT consultant, regarding

    procedures in place for backups, verification of backup quality, and restoration of data.

    We interviewed the Town Supervisor regarding a disaster recovery plan and an information

    breach notification law.

    We reviewed the master banking agreement between the Town and its bank and observed on-line banking access of the Supervisor and Clerk.

    We identified and traced all electronic transfers made through on-line banking during the audit

    period from source to destination.

    Compliance With Workers Compensation Requirements:

    When testing compliance with Workers Compensation requirements, we performed the following

    procedures:

    We obtained and examined all documentation associated with the awarded contracts to

    determine if required workers compensation and disability insurance certificates were

    obtained. We consulted with the New York State Workers Compensation Board for clarification.

    We reviewed electronic disbursement data to assemble a list of possible contracts involving

    hazardous work and identified a population of 35 vendors from which we judgmentally

    selected a sample of 15.

  • 7/31/2019 Town of Hurley Audit

    28/30

  • 7/31/2019 Town of Hurley Audit

    29/30

    28 OFFICEOFTHE NEW YORK STATE COMPTROLLER28

    APPENDIX D

    HOW TO OBTAIN ADDITIONAL COPIES OF THE REPORT

    Office of the State Comptroller

    Public Information Office

    110 State Street, 15th Floor

    Albany, New York 12236

    (518) 474-4015

    http://www.osc.state.ny.us/localgov/

    To obtain copies of this report, write or visit our web page:

  • 7/31/2019 Town of Hurley Audit

    30/30

    APPENDIX E

    OFFICE OF THE STATE COMPTROLLER

    DIVISION OF LOCAL GOVERNMENT

    AND SCHOOL ACCOUNTABILITY

    Andrew A. SanFilippo, Executive Deputy Comptroller

    Steven J. Hancox, Deputy ComptrollerNathaalie N. Carey, Assistant Comptroller

    LOCAL REGIONAL OFFICE LISTING

    BINGHAMTON REGIONAL OFFICE

    H. Todd Eames, Chief Examiner

    Office of the State Comptroller

    State Office Building - Suite 1702

    44 Hawley Street

    Binghamton, New York 13901-4417

    (607) 721-8306 Fax (607) 721-8313

    Email: [email protected]

    Serving: Broome, Chenango, Cortland, Delaware,Otsego, Schoharie, Sullivan, Tioga, Tompkins Counties

    BUFFALO REGIONAL OFFICE

    Robert Meller, Chief Examiner

    Office of the State Comptroller

    295 Main Street, Suite 1032

    Buffalo, New York 14203-2510

    (716) 847-3647 Fax (716) 847-3643

    Email: [email protected]

    Serving: Allegany, Cattaraugus, Chautauqua, Erie,

    Genesee, Niagara, Orleans, Wyoming Counties

    GLENS FALLS REGIONAL OFFICE

    Jeffrey P. Leonard, Chief Examiner

    Office of the State Comptroller

    One Broad Street Plaza

    Glens Falls, New York 12801-4396

    (518) 793-0057 Fax (518) 793-5797

    Email: [email protected]

    Serving: Albany, Clinton, Essex, Franklin,

    Fulton, Hamilton, Montgomery, Rensselaer,

    Saratoga, Schenectady, Warren, Washington Counties

    HAUPPAUGE REGIONAL OFFICE

    Ira McCracken, Chief Examiner

    Office of the State Comptroller

    NYS Office Building, Room 3A10

    Veterans Memorial Highway

    Hauppauge, New York 11788-5533

    (631) 952-6534 Fax (631) 952-6530

    Email: [email protected]

    Serving: Nassau and Suffolk Counties

    NEWBURGH REGIONAL OFFICE

    Christopher Ellis, Chief Examiner

    Office of the State Comptroller

    33 Airport Center Drive, Suite 103

    New Windsor, New York 12553-4725

    (845) 567-0858 Fax (845) 567-0080

    Email: [email protected]

    Serving: Columbia, Dutchess, Greene, Orange,

    Putnam, Rockland, Ulster, Westchester Counties

    ROCHESTER REGIONAL OFFICE

    Edward V. Grant, Jr., Chief Examiner

    Office of the State Comptroller

    The Powers Building

    16 West Main Street Suite 522

    Rochester, New York 14614-1608

    (585) 454-2460 Fax (585) 454-3545

    Email: [email protected]

    Serving: Cayuga, Chemung, Livingston, Monroe,

    Ontario, Schuyler, Seneca, Steuben, Wayne, Yates Counties

    SYRACUSE REGIONAL OFFICE

    Rebecca Wilcox, Chief Examiner

    Office of the State Comptroller

    State Office Building, Room 409

    333 E. Washington Street

    Syracuse, New York 13202-1428

    (315) 428-4192 Fax (315) 426-2119

    Email: [email protected]

    Serving: Herkimer, Jefferson, Lewis, Madison,

    Oneida, Onondaga, Oswego, St. Lawrence Counties

    STATEWIDE AND REGIONAL PROJECTS

    Ann C. Singer, Chief Examiner

    State Office Building - Suite 1702

    44 Hawley Street

    Binghamton, New York 13901-4417

    (607) 721-8306 Fax (607) 721-8313