Upload
tony-adamis
View
221
Download
0
Embed Size (px)
Citation preview
7/31/2019 Town of Hurley Audit
1/30
DIVISIONOF LOCAL GOVERNMENT
& SCHOOL ACCOUNTABILITY
O F F I C E O F T H E N E W YO R K ST A T E C O M P T R O L L E R
Report of Examination
Period Covered:
January 1, 2010 August 10, 2011
2012M-63
Town of Hurley
Internal Controls OverSelected Financial Operations
Thomas P. DiNapoli
7/31/2019 Town of Hurley Audit
2/30
11DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
Page
AUTHORITY LETTER 2
EXECUTIVE SUMMARY 3
INTRODUCTION 5
Background 5
Objective 5
Scope and Methodology 5
Comments of Local Officials and Corrective Action 6
PURCHASING 7
Professional Services 7
Quotations 8
Conflict of Interest 9
Recommendations 10
INFORMATION TECHNOLOGY 12
User Access Controls 12 Data Backup 14
Disaster Recovery Plan 15
Data Classification and Breach Notification Policy 15
Personal, Private and Sensitive Information (PPSI) 16
Online Banking 17
Recommendations 18
COMPLIANCE WITH WORKERS COMPENSATION REQUIREMENTS 20
Recommendation 20
APPENDIX A Response From Local Officials 21
APPENDIX B OSC Comments on the Towns Response 24
APPENDIX C Audit Methodology and Standards 25
APPENDIX D How to Obtain Additional Copies of the Report 28
APPENDIX E Local Regional Office Listing 29
Table of Contents
7/31/2019 Town of Hurley Audit
3/30
2 OFFICEOFTHE NEW YORK STATE COMPTROLLER2
State of New York
Office of the State Comptroller
Division of Local Government
and School Accountability
July 2012
Dear Town Officials:
A top priority of the Office of the State Comptroller is to help local government officials manage
government resources efficiently and effectively and, by so doing, provide accountability for
tax dollars spent to support government operations. The Comptroller oversees the fiscal affairs of
local governments statewide, as well as compliance with relevant statutes and observance of good
business practices. This fiscal oversight is accomplished, in part, through our audits, which identify
opportunities for improving operations and Town Board governance. Audits also can identify
strategies to reduce costs and to strengthen controls intended to safeguard local government assets.
Following is a report of our audit of the Town of Hurley, entitled Internal Controls Over Selected
Financial Operations. This audit was conducted pursuant to Article V, Section 1 of the State Constitution
and the State Comptrollers authority as set forth in Article 3 of the General Municipal Law.
This audits results and recommendations are resources for local government officials to use in
effectively managing operations and in meeting the expectations of their constituents. If you have
questions about this report, please feel free to contact the local regional office for your county, as listed
at the end of this report.
Respectfully submitted,
Office of the State ComptrollerDivision of Local Government
and School Accountability
7/31/2019 Town of Hurley Audit
4/30
33DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
Office of the State ComptrollerState of New York
EXECUTIVE SUMMARY
The Town of Hurley (Town) is located in Ulster County, comprises approximately 36 square miles,
and has a population of approximately 6,600. The 2011 Town operating budget was $3.1 million,
funded primarily through real property taxes. The Town provides various services to its residents,
including general governmental support, street maintenance and improvements, snow removal, and
refuse disposal. An elected five-member Town Board (Board) is the legislative body responsible for
overseeing the Towns operations and finances.
All Town financial data is stored and processed at the office of the Towns appointed accounting firm.
The Town uses the services of an external consultant to provide support for its internal information
technology system, which houses data from the Town Clerks office and the Building Department.
Scope and Objective
The objective of our audit was to examine the effectiveness of the Towns internal controls over
procurement and information technology, and its compliance with the Workers Compensation Law
for the period January 1, 2010 to August 10, 2011. Our audit addressed the following related questions:
Did the Board ensure that the Town procured quality goods and services at the lowest cost
possible?
Did Town officials properly safeguard information technology resources?
Did Town officials comply with requirements of New York States Workers Compensation
and Disability Laws?
Audit Results
We found that Town officials did not procure any of the 10 professional services providers tested,
who were paid $510,419, through a request for proposals (RFP) or any form of competitive process.
This occurred because the Towns procurement policy does not require use of competitive methods,
such as RFPs, when procuring professional services. In addition, the Board did not enter into written
agreements with nine of these providers. Town officials did not obtain the required quotations for
purchases totaling $26,254 from six of 12 vendors tested. As a result, Town officials may not have
obtained services at the best prices and may have paid for services not agreed upon.
7/31/2019 Town of Hurley Audit
5/30
4 OFFICEOFTHE NEW YORK STATE COMPTROLLER4
We identified two Board members with conflicts of interests in Town contracts. One Board member
had a prohibited interest in a contract when an agreement for a five-year seasonal lease of real estate1
totaling $12,500 was executed with the Town. Although the Board member annually disclosed his
interest and abstained from votes related to the agreement, the Board member was a member-manager
of the firm that owned the property, and had a prohibited interest in the lease. The spouse of a second
Board member is a Vice President and 30 percent owner of the corporation that provides engineering
and land surveying services to the Town. The Board member did not disclose, in writing, her spouses
interest in the contract with the Town to the Board in 2010 or 2011, as required. The Town paid this
firm $79,644 during the audit period. Abstention from voting did not eliminate the need to comply
with the statutory requirement of public disclosure. When Town officials, in their private capacities,
conduct business with the Town for which they serve, the public may question the appropriateness
of the transactions. Such transactions may create an actual conflict of interest or the appearance of
impropriety and/or may result in improper enrichment at taxpayers expense.
We also found weaknesses in the Towns IT controls which increase the risk of unauthorized changes
to data and potentially costly disruptions to the Towns operations that could result in the loss of data.
These weaknesses include multiple users with administrative rights, and the lack of formal policies
and procedures for adding, deleting, updating, and monitoring network user accounts, and backingup data. In addition, the Board has not developed a data recovery plan or a breach notification policy
which is required by law. Further, by failing to adopt an information breach notification policy, in the
event that private information is compromised, Town officials and employees may not be prepared to
fulfill their legal obligation to notify affected individuals. Town officials began taking steps to remedy
the deficiencies we identified.
Finally, Town officials need to improve compliance with New York State Workers Compensation
Law. Town officials did not obtain and maintain proof of workers compensation and disability
benefits insurance for 13 of the 15 vendors we tested, who were paid $252,599 during the audit period.
Verification of insurance is necessary to ensure benefits are available, should workers get injured.
It also levels the playing field, because it prevents employers from gaining a cost advantage by notcarrying insurance. Further, it reduces the Towns liability in the event of an accident or injury.
Comments of Local Officials
The results of our audit and recommendations have been discussed with Town officials and their
comments, which appear in Appendix A, have been considered in preparing this report. Except as
indicated in Appendix A, Town officials generally agreed with our findings and indicated they have
already initiated, or plan to initiate, corrective action. Appendix B includes our comments on issues
Town officials raised in their response.
1 The lease was for $2,500 for each offive years.
7/31/2019 Town of Hurley Audit
6/30
55DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
Background
Introduction
Objective
Scope and
Methodology
The Town of Hurley (Town) is located in Ulster County, comprises
approximately 36 square miles, and has a population of approximately
6,600. The 2011 Town operating budget was $3.1 million, funded
primarily through real property taxes. The Town provides variousservices to its residents, including general governmental support,
street maintenance and improvements, snow removal, and refuse
disposal.
An elected five-member Town Board (Board) is the legislative body
responsible for overseeing the Towns operations and finances.
The Board consists of the Town Supervisor (Supervisor) and four
Board members. The Board is responsible for the overall financial
management of the Town, including establishing appropriate internal
controls and safeguarding assets. The Supervisor is the chiefexecutive officer and chieffiscal officer, and is responsible, along
with other administrative staff, for the day-to-day management of the
Town under the direction of the Board.
All Town financial data is stored and processed at the office of the
Towns appointed accounting firm. The Town uses the services of
an external consultant to provide support for its internal information
technology system, which houses data from the Town Clerks office
and the Building Department.
The objective of our audit was to examine the effectiveness ofthe Towns internal controls over procurement and information
technology, and its compliance with the Workers Compensation
Law. Our audit addressed the following related questions:
Did the Board ensure that the Town procured quality goods
and services at the lowest cost possible?
Did Town officials properly safeguard information technology
resources?
Did Town officials comply with requirements of New York
States Workers Compensation and Disability Laws?
We examined the Towns internal controls over purchases not subject
to competitive bidding requirements, information technology, and
compliance with the Workers Compensation Law for the period
January 1, 2010 to August 10, 2011.
7/31/2019 Town of Hurley Audit
7/30
6 OFFICEOFTHE NEW YORK STATE COMPTROLLER6
We conducted our audit in accordance with generally accepted
government auditing standards (GAGAS). More information on such
standards and the methodology used in performing this audit are
included in Appendix C of this report.
The results of our audit and recommendations have been discussed
with Town officials and their comments, which appear in Appendix
A, have been considered in preparing this report. Except as indicated
in Appendix A, Town officials generally agreed with our findings and
indicated they have already initiated, or plan to initiate, corrective
action. Appendix B includes our comments on issues Town officials
raised in their response.
The Board has the responsibility to initiate corrective action. A
written corrective action plan (CAP) that addresses the findings and
recommendations in this report should be prepared and forwarded
to our office within 90 days, pursuant to Section 35 of the General
Municipal Law. For more information on preparing and filing yourCAP, please refer to our brochure, Responding to an OSC Audit
Report, which you received with the draft audit report. We encourage
the Town Board to make this plan available for public review in the
Clerks office.
Comments of
Local Officials and
Corrective Action
7/31/2019 Town of Hurley Audit
8/30
77DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
Purchasing
The Board is responsible for ensuring that the Town purchases the
desired quality and quantity of goods and services at the lowest cost.
General Municipal Law (GML) requires the Board to adopt written
policies and procedures for the procurement of goods and servicesthat are not subject to competitive bidding, to ensure that the Town
obtains goods and services from qualified providers at the most
economical costs.
Town officials did not procure any of the 10 professional services
providers tested, who were paid $510,419, through any form of
competitive process. This occurred because the Towns procurement
policy does not require use of competitive methods, such as a request
for proposal (RFP), when procuring professional services. In addition,
the Board did not enter into written agreements with nine of theseproviders. Town officials did not obtain the required quotations for
purchases totaling $26,254 from six of 12 vendors tested. We also
found that two Board members had conflicts of interests in Town
contracts. As a result of these weaknesses, Town officials cannot
be assured that they obtained goods and services at the best price
possible in compliance with applicable laws and the Towns policy.
Competitive bidding is not required for the procurement of professional
services which involve specialized skill, training and expertise;
use of professional judgment or discretion; and/or a high degree of
creativity. However, use of a competitive method, such as an RFPprocess, helps ensure the prudent and economical use of taxpayer
moneys. In addition, written agreements between the Town and
professional service providers give both parties a clear understanding
of the services expected and the compensation for those services.
Written agreements also serve as a source document for the Board to
use in the audit and approval of claims for payment.
Town officials did not use RFPs or quotations to solicit competition
for professional services. The Town paid $528,428 to 15 professional
services providers during our audit period. We selected a sample
of 10 of the 15 professional services providers2 who were paid
$510,419. The providers included: engineering $79,644, consulting
$157,551, attorneys $107,333, accounting $76,141, insurance and
benefits administration $89,750. Town officials did not procure any
of the 10 professional services providers tested through an RFP or
any form of competitive process. This occurred because the Towns
Professional Services
2 We judgmentally selected the providers who were paid more than $10,000 during
our audit period.
7/31/2019 Town of Hurley Audit
9/30
8 OFFICEOFTHE NEW YORK STATE COMPTROLLER8
procurement policy does not require competition for the acquisition
of professional services, except when directed by the Board. Without
seeking appropriate competition prior to selecting professional
service providers, Town officials may not have obtained services at
the best prices.
We reviewed payments totaling $510,419 made to the 10 providers
during the audit period to determine if the providers submitted properly
detailed invoices and were paid at authorized rates. One provider,
who was paid $28,852, billed at an hourly rate that was $5 more
than the Board-authorized rate and also billed for mileage, although
mileage reimbursement was not included in the approving resolution.
Therefore, the Town overpaid this provider $1,764. In addition, three
providers, who were paid $161,286, submitted invoices that were
not sufficiently itemized and lacked detail including dates and hours
worked. For example, invoices submitted by an engineering firm, an
attorney and a consultant listed service covering periods ranging from
nine days to over a month. Without specific dates on the invoices, thecharges could not be verified to Town records.
These deficiencies occurred because the Board did not enter into
written agreements with nine of the providers tested. Furthermore,
there were no rate agreements (either written or by resolution) for the
services offive of the 10 providers, who were paid $195,503 during
the audit period. Without such documentation, Town officials could
not be assured that the Town received the services for which it paid.
Without written agreements establishing the services to be provided
and the fees to be paid, the Town is vulnerable to misunderstandingsthat may affect the level of service and/or the fees charged. Further,
without documented approvals, there is no way for the Board to
properly audit claims and determine if the fees charged were correct
and for properly authorized services.
The Towns procurement policy requires written and/or documented
verbal quotations for purchase contracts that are less than $10,000
and public works contracts that are less than $20,000, with
certain exceptions including acquisition of professional services,
emergencies, sole source situations, and goods purchased fromanother governmental agency. The policy requires that the quotations
and related information gathered are maintained and filed.
Town officials did not comply with the quotes requirements in
the procurement policy. We judgmentally selected3 15 purchases
requiring quotations, totaling $53,010, for adherence to the Towns
Quotations
3 See Appendix C, Audit Methodology and Standards, for details on our sample
selection.
7/31/2019 Town of Hurley Audit
10/30
99DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
procurement policy. Town officials appropriately utilized County
contracts for two purchases and purchased one item from another
municipality. However, none of the remaining 12 purchases tested
totaling $42,175 had quotations attached to claims packets. We
subsequently located documentation of quotations for six purchases
totaling $15,921 in Highway Department files. Town officials had not
obtained quotations for the remaining six purchases totaling $26,254,
which included the purchase of a truck plow kit for $6,183 and the
purchase of heating fuel oil totaling $2,577.
The failure to abide by and monitor compliance with the Towns
procurement policy increases the risk that goods or services will not
be obtained at the lowest possible price and that public moneys will
not be used in the best interest of taxpayers.
Local governments should have a formal system in place to ensure
compliance with the conflict of interest provisions of GML.4 GML
limits the ability of Town officials and employees to enter intocontracts in which both their personal financial interests and their
public powers and duties conflict. With certain exceptions, local
officials and employees are prohibited from having an interest in a
contract with the municipality for which they serve when they also
have the power or duty, either individually or as a member of a board,
to (1) negotiate, prepare, authorize or approve the contract; (2) to
authorize or approve payment under the contract; (3) to audit bills
or claims under the contract; or (4) to appoint an officer or employee
with any of those powers or duties. GML provides an exception
under certain conditions when a municipality enters into a purchase
or leasehold interest of real estate.
A local official or employee has an interest in a contract when he
or she receives a direct or indirect monetary or material benefit as
a result of the contract. An official or employee is also deemed to
have an interest in the contracts of his or her spouse, minor children
and dependents (except employment contracts); firms, partnerships,
or associations of which he or she is a member or employee; and
corporations of which he or she is an officer, director, or employee, or
directly or indirectly owns any stock. As a rule, interests in actual or
proposed contracts on the part of a Town offi
cial or employee, or hisor her spouse, must be publicly disclosed in writing to the officials
or employees immediate supervisor and to the Board, and included
in the official minutes of the Board proceedings.
The Board adopted an amended code of ethics for all Town officials
and employees in May 2007, which, among other things, prohibited
conflicts of interest, and established a Board of Ethics. However,
Conflict of Interest
4 General Municipal Law Article 18
7/31/2019 Town of Hurley Audit
11/30
10 OFFICEOFTHE NEW YORK STATE COMPTROLLER10
neither the Town Board nor its Board of Ethics effectively monitored
whether Board members were complying with the code. We found that
two Board members had arrangements with the Town that resulted in
conflicts of interest, one of which was a prohibited interest.
One Board member had a prohibited interest in a contract when an
agreement, dated November 1, 2009, for a five-year seasonal lease5
of real estate totaling $12,500 was executed with the Town. Although
the Board member annually disclosed his interest and abstained from
votes related to the agreement, the Board member was a member-
manager of the firm that owned the property, and had a prohibited
interest in the lease unless a statutory exception applied. GML provides
an exception when a municipality purchases real property, including
a leasehold interest, so long as the purchase and consideration are
approved by an order of the State Supreme Court upon petition of
the governing board. This exception did not apply because the Town
Board did not obtain such an order.
The second conflict occurred because the spouse of a Town Board
member is a Vice President and 30 percent owner of the corporation
that provides engineering and land surveying services to the Town.
The Town paid this firm $79,644 during the audit period. The Board
member abstains from votes relating to issues between the Town and
the engineering firm, and was not found to have a direct interest in
the contracts. However, because the Board members spouse has an
interest in the contracts, the Board member is required to disclose, in
writing, his or her spouses interest in the contracts6 with the Town to
the Board. There was no written disclosure made during 2010 or 2011
by the Board member. Abstention from voting does not eliminate theneed to comply with the statutory requirement of public disclosure.
These conflicts occurred because the Town Board and the Town
Ethics Board believed that they were complying with the law
since the two Board members abstained from voting. When Town
officials, in their private capacities, conduct business with the Town
for which they serve, the public may question the appropriateness
of the transactions. Such transactions may create an actual conflict
of interest or the appearance of impropriety and/or may result in
improper enrichment at taxpayers expense.
1. Town officials should consider including a requirement in the
Towns procurement policy that competitive methods such as
RFPs be used to obtain professional services.
5 The lease was for $2,500 for each offive years.6 GML Section 803[1]
Recommendations
7/31/2019 Town of Hurley Audit
12/30
1111DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
2. Town officials should require written agreements with all
professional service providers be executed detailing the service(s)
to be provided and terms of compensation.
3. Town officials should monitor and enforce compliance with the
Towns procurement policies to ensure that written and verbal
quotes are obtained and documented, as required.
4. Town officials should take immediate action to resolve the existing
prohibited conflict of interest.
5. Town officials should ensure that all officials and employees are
familiar with the requirements of Article 18 of General Municipal
Law and the Town Ethics and Disclosure Law as they relate
to conflicts of interest, and enforce annual public disclosure
requirements.
7/31/2019 Town of Hurley Audit
13/30
7/31/2019 Town of Hurley Audit
14/30
1313DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
Administrative Rights The system administrator function allows
the assignment of user access rights as needed for employees job
duties. Administrator-level access also allows the downloading and
installation of software, which must be strictly controlled. Prohibiting
the installation of unauthorized software by system users is a crucial
step in preventing potentially harmful software from infecting
Town computers. Unauthorized programs could transfer personal or
sensitive information to outside networks, slow down or bring down
the network, and introduce viruses, spyware, and software that is
not properly screened for current technological threats. Proper system
administration includes controls to prevent unauthorized downloads
and procedures for obtaining approval of any exceptions.
Although the Towns computer policy prohibits the installation
or use of any hardware or software not owned by the Town, staff
computers are not restricted, and users can download and install
hardware and software. We tested five of the most actively used Town
employee workstations7
and found that all five Town employeeshave administrative rights to the system. Although employees
access to some software applications is restricted according to job
function, the ability to potentially download and install unauthorized
software increases the risk that sensitive or critical data may be lost
or compromised. Our tests of four workstations showed that all four
computers had inappropriate security settings that did not enforce
Town policy. In addition, we reviewed installed software on seven
workstations and identified two inappropriate programs (a program
that showed passwords hidden under asterisks and a program that
erases internet history) on one computer. When we advised the
Supervisor of the inappropriate programs, he arranged for theirremoval.
User Access Access to computer operations must be restricted to only
those functions required by individual employees job descriptions
and/or official duties, and when granted, needs to preserve proper
segregation of duties. The responsibility of individual users should be
analyzed to determine what type of application access (for example,
read, enter, modify, delete) users need to fulfill their responsibilities.
Strong access controls restrict access only to these authorized
functions.
The Town does not have formal policies and procedures for the
addition, deletion, or modification of network user accounts, and
access to certain applications in the Town Clerks office was not
sufficiently restricted. The Supervisor verbally instructs the IT
7 Supervisor, Secretary to the Supervisor, Town Clerk, Deputy Clerk, Code
Enforcement Officer
7/31/2019 Town of Hurley Audit
15/30
14 OFFICEOFTHE NEW YORK STATE COMPTROLLER14
Consultant to add or delete user access, and the Consultant did not
always disable separating employees computer and email access in a
timely manner. We also identified deficiencies with authorization and
level of access to applications in the Town Clerks office.
Two Deputy Clerks share one user ID to access an application in
the Town Clerks office to be used by the Town Registrar; however,
only one Deputy Clerk is appointed as Town Registrar. Therefore,
both Deputy Clerks do not need access to this application. In another
instance, we found that three Deputy Clerks had unrestricted access to
a tax software application, even though the Tax Collector (who also is
the Town Clerk) was the only one updating data. These inappropriate
access rights occurred because the software was improperly set
up, and Town officials did not generate or review access or report
logs. Because the software allows access beyond what is necessary
for an individuals assigned duties, the Town is at an increased risk
that inappropriate, unauthorized transactions could be initiated and
remain undetected and uncorrected. When we brought this to herattention, the Town Clerk immediately initiated action to correct
access to the tax software application.
It is important for the Town to ensure that data stored on computers
and servers is backed up (i.e., a duplicate copy of information made)
routinely to enable restoration in the event of a loss. Effective written
backup procedures include provisions for maintaining multiple back-
up copies and storing these copies in a secure off-site location, as
well as assignment of responsibility. Periodic testing and restoration
of backups assures viability of data.
Data on Town employees computers is stored on a server located in
the Town Hall, which is backed up to an external hard drive stored
in a locked server room. Off-site incremental backups are done
by an online service provider, and the Town uses an IT Consultant
who verifies successful completion of backups at least quarterly.
Additionally, the Towns financial data is entered, processed and
stored at its accountants office; the accountant generates financial
reports for the Boards use.
Although nightly backups are routinely performed, they are donewithout verification of successful completion. There are no
procedures to ensure that nightly server backups are successful or that
the data on the backups can be successfully restored. Not ensuring a
full backup is removed to a secure offsite location subjects the data to
many of the same risks (disasters). The IT Consultant does not verify
viability of the backups during periodic visits.
Data Backup
7/31/2019 Town of Hurley Audit
16/30
1515DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
There were some files excluded from incremental backup by the on-
line service provider, and neither Town officials nor the IT Consultant
could provide an explanation. Town officials do not receive periodic
backups of the Towns financial data entered and processed by
their accountant, and do not have an agreement detailing backup or
security procedures used by the firm. Damage or loss to computer
systems or data caused by third parties is not covered by the Towns
insurance policy, and the Town is not named as additional insured on
the liability insurance policies of the IT consultant or accountant.
By relying on third party providers, Town officials have not
sufficiently addressed the Towns IT risks, or developed written
policies and procedures for data backup and restoration. If Town
systems were compromised, the Town could lose essential
information which may not be recoverable, or incur unreimbursed
expenses for restoration of systems or repair, or replacement of
equipment.
A disaster recovery plan is intended to identify and describe how
Town officials plan to deal with potential disasters. Such disasters
may include any sudden, catastrophic event (e.g., fire, computer
virus, or deliberate or inadvertent employee action) that compromises
the availability or integrity of the IT system and data. Contingency
planning to prevent loss of computer equipment and data and the
procedures for recovery in the event of an actual loss are crucial to an
organization. The plan needs to address the roles of key individuals
and include the precautions to be taken to minimize the effects of a
disaster so officials and responsible staff will be able to maintain or
quickly resume day-to-day operations.
The Board has not adopted a disaster recovery plan. Therefore, in the
event of a disaster, Town personnel have no guidelines or plan to help
minimize or prevent the loss of equipment and data, or to provide
guidance for implementing data recovery procedures. As a result, the
Towns IT assets are at increased risk of loss or damage, and there
could be potentially costly disruptions to its critical operations.
Data classification is the process of systemically assigning a level
of sensitivity to data. It is an important step because not all sensitivedata are equally risky or require the same level of safeguards. Data
classification requires knowing where data are collected, processed,
transmitted, stored and/or reported and understanding the nature
of that information. A common classification scheme includes the
categories for public, internal use, confidential, personal and restricted
confidential information. Once identified, data are categorized, which
helps to determine the extent which they need to be secured. The
internal controls that are established over data are generally based
Disaster Recovery Plan
Data Classification and
Breach Notifi
cation Policy
7/31/2019 Town of Hurley Audit
17/30
16 OFFICEOFTHE NEW YORK STATE COMPTROLLER16
on the harm that could result to individuals and/or the Town if the
information were to be inappropriately accessed, used or disclosed.
Such data contained in data bases should always be encrypted.
An individuals private and/or financial information, along with
confidential business information, could be severely impacted if
security is breached or data is improperly disclosed. New York StateTechnology Law requires cities, counties, towns, villages, and other
local agencies to establish an information breach notification policy.
The policy should detail how the Town would notify individuals
whose private information was, or is reasonably believed to have
been, acquired by a person without a valid authorization. The
disclosure should be made in the most expedient time possible and
without unreasonable delay, consistent with the legitimate needs of
law enforcement or any measures necessary to determine the scope
of the breach and restore the reasonable integrity of the data system.
Town officials informed us that they have not classified their data, andthe Town has not adopted a breach notification policy. By failing to
classify data and protect data on workstations and the server, resident
and taxpayer information may be at unnecessary risk. Further, by
failing to adopt an information breach notification policy, in the
event that private information is compromised, Town officials and
employees may not be prepared to fulfill their legal obligation to
notify affected individuals.
Towns collect, transmit and store a considerable amount of PPSI in
the normal course of business. PPSI, as defined by the New York State
Office of Cyber Security and Critical Infrastructure Coordination, is
any information that access, disclosure, modification, destruction,
or disruption of could significantly impact an organization or
third parties. Changes in the regulatory environment have created
requirements for the handling of specific types of information. Good
governance and accountability require that local governments protect
PPSI from unauthorized access or use regardless of the format in
which it is collected, transmitted and stored.
We identified a number of issues relating to PPSI:
Town officials have not established procedures to safeguard
the storage and transport of sensitive and confidential data.
PPSI has not been reviewed and categorized by the Town or
the Towns IT consultant.
The data stored on the Towns server and backup hard drive is
not stored in an encrypted format.
Personal, Private and
Sensitive Information
(PPSI)
7/31/2019 Town of Hurley Audit
18/30
1717DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
The software used by the Town Clerks office to issue licenses
that include PPSI is not encrypted.
Town officials have not taken measures to ensure that
sensitive data stored on the accountants server is secured.
The Town Supervisor is not aware of security measuresenacted by the accounting firm for the Towns PPSI data that
include employee retirement membership numbers, social
security numbers, or vendor 1099 information.
Because Town officials have not established a formal security plan
addressing PPSI, the Town is at an increased risk of access and
misuse of confidential information by unauthorized individuals.
Online banking provides a means of direct access to moneys held
in the Towns accounts. It is an immediate way to review current
account balances and account information, review recent transactions,and transfer moneys between bank accounts. Because of this access,
adequate controls need to be established.
Written Policy The Town should have a comprehensive written
policy for online banking. This policy should include, but not be
limited to, the following: the online banking functions (i.e., read-
only, electronic transfer, wire transfer, etc.) that will be used by each
employee with access to online banking, the employee permitted to
authorize transactions, the employee who will record transactions,
the employee who will review and reconcile transactions, and the
procedures that will be followed when responding to potential
fraudulent activity.
The Town does not have a formal online banking policy. Without
a policy, the Town is at increased risk that inappropriate or
unauthorized transactions will be initiated.
Banking Agreement The Town should have an online banking
agreement with each bank that provides those services. Per General
Municipal Law,8 this agreement should prescribe the manner in which
electronic or wire transfers will be accomplished, identify the namesand numbers of the bank accounts from which electronic transfers or
wire transfers may be made, identify which individuals are authorized
to request an electronic or wire transfer of funds, and implement a
security procedure as defined in Uniform Commercial Code, section
4-A-201.
Online Banking
8 General Municipal Law Section 5-a.
7/31/2019 Town of Hurley Audit
19/30
18 OFFICEOFTHE NEW YORK STATE COMPTROLLER18
There is no separate online banking agreement between the Town
and its bank there is only a master agreement that neither identifies
the names and numbers of the bank accounts from which electronic
transfers can be made, nor identifies the individuals authorized to
request them. There is no independent confirmation of activity by
the bank. Town officials use the online banking services program in
a limited manner; the accounts are available for viewing activity and
making transfers between accounts the wire transfer module is not
enabled. We identified and traced a total of 20 electronic transfers
totaling $12,901,039 from source to destination accounts, and
confirmed the purpose of the transfers were appropriate.
Restriction of Online Banking Accounts Segregation of duties within
elected positions impose a distinction between the responsibilities
of the Town Supervisor, Town Clerk and Tax Collector. The Town
Supervisor (in conjunction with the Board) has the obligation to audit
various departments, but should not have access to other department
funds until the funds are remitted to the Supervisor.
The Town Supervisor has the ability to view and transfer from
accounts that exceed his authority. View access is available with
the Town Supervisors user ID and password for accounts captioned
Justice Parker checking, Town Clerk other, Town Justice checking,
Town Supervisor checking and Town Supervisor savings. The
Supervisor can select from four accounts to transfer funds from and
into; these are captioned Town Supervisor checking, Town Supervisor
savings, Tax Collector checking and Tax Collector savings.
The Supervisors online banking access to view or transfer fundsshould be limited to accounts for which he is responsible. Town
officials may wish to revisit the decision to have online banking
services available for the accounts of the Tax Collector and Town
Clerk because the unused service and internet connection present a
security risk.
6. Town officials should assess and review administrative
designations on workstations, disable access where appropriate,
and implement electronic controls to restrict the workstation
users ability to install unauthorized software or hardware.
7. Town officials should establish formal procedures for adding and
deleting network user accounts.
8. The Town Clerk should contact the software application provider
to ensure that separate user IDs and appropriate levels of access
are established for each Deputy Clerk.
Recommendations
7/31/2019 Town of Hurley Audit
20/30
1919DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
9. Town officials should develop and adopt relevant policies and
establish procedures for backups including data viability testing
and restoration of backups on a regular basis.
10. Town officials should ensure that a backup of the Towns server is
stored offsite. Town officials also should ensure, through a written
agreement with the accounting firm, that they have either physical
access to the backups of the Towns financial data or confirmation
of the accounting firms processes to backup and protect Town
financial data on its servers.
11. Town officials should ensure that all files intended for online
backup are properly designated.
12. Town officials should ensure that the Town is named as additional
insured by all vendors with access to Town data.
13. Town officials should develop a disaster recovery plan thataddresses the range of threats to the Towns IT system, distribute
the plan to all responsible parties, and ensure that the plan is
periodically tested and updated as needed.
14. Town officials should adopt a breach notification policy in
compliance with New York State Technology Law.
15. Town officials should identify and classify PPSI, and ensure that
sensitive data is encrypted on Town servers and that sensitive data
stored on servers at offsite locations is properly handled.
16. Town officials should establish a comprehensive written policy
for online banking that adequately addresses all online banking
functions.
17. Town officials should require that an online banking agreement
be established that identifies the names and numbers of the bank
accounts from which electronic transfers may be made, and
identification of the individual(s) authorized to initiate transfers.
7/31/2019 Town of Hurley Audit
21/30
20 OFFICEOFTHE NEW YORK STATE COMPTROLLER20
Compliance With Workers Compensation Requirements
Workers Compensation Law requires the heads of all municipal
entities to ensure that businesses applying for contracts carry
workers compensation and disability benefits insurance. This
requirement applies to both original issuances and renewals, whetherthe municipal entity is having the work done or is simply issuing the
contract.
We identified 35 contracts that involved potentially hazardous work
during the audit period, and judgmentally selected those vendors who
received the higher payments and who performed the work on site in
the Town. We selected a total of 15 contracts for further testing. These
15 contract vendors were paid a total of $266,653 during the audit
period. The Town had evidence of appropriate workers compensation
and disability benefi
ts insurance onfi
le for only two of the 15 vendorstested; one vendors certificate expired before the end of the year.
The Town did not have workers compensation and disability benefits
insurance on file for 13 vendors who were paid $252,599.
Verification of insurance is necessary to ensure benefits are available,
should workers get injured. It also levels the playing field, because
it prevents employers from gaining a cost advantage by not carrying
insurance. Further, it reduces the Towns liability in the event of an
accident or injury.
18. Town officials should comply with the Workers CompensationLaw and provide staff with appropriate procedures to be followed
to secure the required documents. These procedures should
include types of vendors and insurance required, deadlines
for receiving the documents, and compliance procedures if the
required documents are not provided.
Recommendation
7/31/2019 Town of Hurley Audit
22/30
2121DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
APPENDIX A
RESPONSE FROM LOCAL OFFICIALS
The local officials response to this audit can be found on the following pages.
7/31/2019 Town of Hurley Audit
23/30
22 OFFICEOFTHE NEW YORK STATE COMPTROLLER22
See
Note 1Page 24
See
Note 2
Page 24
7/31/2019 Town of Hurley Audit
24/30
2323DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
Se
No
Pa
Se
No
Pa
7/31/2019 Town of Hurley Audit
25/30
24 OFFICEOFTHE NEW YORK STATE COMPTROLLER24
APPENDIX B
OSC COMMENTS ON THE TOWNS RESPONSE
Note 1
Town officials are mistaken. We do not have a past practice of removing findings if they are corrected
prior to the end of our audit. Our reports discuss deficiencies that exist during the audit scope period
and acknowledge changes and improvements made by Town officials during and subsequent to the
completion of audit fieldwork.
Note 2
Subsequent to the completion of our audit fieldwork, the Supervisor sent us a written agreement
for one of the nine vendors discussed in the report. We did not receive written agreements for the
remaining eight vendors. Town officials also provided us with one letter of rates charged by a vendor
that was not signed by the Board to indicate its acceptance.
Note 3
We did not dispute the efficiency of the Towns use of the shed. Our report states that, to comply with
the law, the lease must be approved via an order of the State Supreme Court upon the Boards petition.
At the time of our audit, there was no such Supreme Court order. The Town has apparently decided to
discontinue the lease rather than petition the Supreme Court.
7/31/2019 Town of Hurley Audit
26/30
2525DIVISIONOF LOCAL GOVERNMENTAND SCHOOLACCOUNTABILITY
APPENDIX C
AUDIT METHODOLOGY AND STANDARDS
Our overall goal was to access the adequacy of the internal controls put in place by officials to
safeguard Town assets. To accomplish this, we interviewed appropriate Town officials and reviewed
pertinent documents such as Board minutes, Town local laws, Town Employee Handbook, General
Municipal Law, Workers Compensation Law, and State Technology Law. We designed our audit to
focus on those areas most at risk.
Purchasing:
When testing purchasing and ethics laws, we performed the following procedures:
We interviewed Town and department officials and employees and reviewed available
documents.
We reviewed electronic disbursement data and quantified the number of professional service
providers used by the Town and the total dollar amount paid for professional services during
our audit period.
We determined the population sample and judgmentally selected for audit those professional
service providers paid more than $10,000 during the audit period.
We obtained paid vouchers, requested written agreements, and compared rates paid to
agreements or approvals in Board minutes.
We reviewed electronic disbursement data and quantified the number of purchases and totaldollar amounts for which quotations were required per the Towns procurement policy during
the audit period.
Using the total population, we selected an audit sample of 15. We began with a random sample
starting with number five of the population count, and selected every 5th paid voucher. We
later revised it to a judgmental sample as we eliminated purchases from duplicate vendors or
purchases that did not meet our objective and replaced them with judgmental selections.
We reviewed the vouchers in our audit sample to determine if designation of purchase under
New York State or Ulster County Contract was indicated, if quotations obtained prior to the
purchase were attached, or a sole source designation was indicated.
We obtained and examined responses to our conflict of interest inquiries, reviewed Board
minutes and Town Clerk records for submitted annual disclosures, initiated email correspondence
to Board members to obtain clarifying information, obtained a copy of an executed leasehold
agreement, reviewed paid vouchers, and consulted with our Legal Department.
7/31/2019 Town of Hurley Audit
27/30
26 OFFICEOFTHE NEW YORK STATE COMPTROLLER26
Information Technology:
When testing information technology, we performed the following procedures:
We interviewed Town officials and employees regarding the Towns information technology
system and environment.
We interviewed the IT consultant and the accountant, who are both third party providers,
regarding the Towns information technology system, data, and environment.
We reviewed the Employee Handbooks Computer Systems and Internet/On-Line Service
Policy.
We used an analytical program to examine controls to determine if sensitive information was
at risk due to improper settings or contained unauthorized software.
We examined workstation users and groups, and examined controls over network accounts and
passwords for Town employees and third-party support technicians.
We examined controls over application user accounts and user access to software applications
used at the Town.
We interviewed Town officials and a representative from the IT consultant, regarding
procedures in place for backups, verification of backup quality, and restoration of data.
We interviewed the Town Supervisor regarding a disaster recovery plan and an information
breach notification law.
We reviewed the master banking agreement between the Town and its bank and observed on-line banking access of the Supervisor and Clerk.
We identified and traced all electronic transfers made through on-line banking during the audit
period from source to destination.
Compliance With Workers Compensation Requirements:
When testing compliance with Workers Compensation requirements, we performed the following
procedures:
We obtained and examined all documentation associated with the awarded contracts to
determine if required workers compensation and disability insurance certificates were
obtained. We consulted with the New York State Workers Compensation Board for clarification.
We reviewed electronic disbursement data to assemble a list of possible contracts involving
hazardous work and identified a population of 35 vendors from which we judgmentally
selected a sample of 15.
7/31/2019 Town of Hurley Audit
28/30
7/31/2019 Town of Hurley Audit
29/30
28 OFFICEOFTHE NEW YORK STATE COMPTROLLER28
APPENDIX D
HOW TO OBTAIN ADDITIONAL COPIES OF THE REPORT
Office of the State Comptroller
Public Information Office
110 State Street, 15th Floor
Albany, New York 12236
(518) 474-4015
http://www.osc.state.ny.us/localgov/
To obtain copies of this report, write or visit our web page:
7/31/2019 Town of Hurley Audit
30/30
APPENDIX E
OFFICE OF THE STATE COMPTROLLER
DIVISION OF LOCAL GOVERNMENT
AND SCHOOL ACCOUNTABILITY
Andrew A. SanFilippo, Executive Deputy Comptroller
Steven J. Hancox, Deputy ComptrollerNathaalie N. Carey, Assistant Comptroller
LOCAL REGIONAL OFFICE LISTING
BINGHAMTON REGIONAL OFFICE
H. Todd Eames, Chief Examiner
Office of the State Comptroller
State Office Building - Suite 1702
44 Hawley Street
Binghamton, New York 13901-4417
(607) 721-8306 Fax (607) 721-8313
Email: [email protected]
Serving: Broome, Chenango, Cortland, Delaware,Otsego, Schoharie, Sullivan, Tioga, Tompkins Counties
BUFFALO REGIONAL OFFICE
Robert Meller, Chief Examiner
Office of the State Comptroller
295 Main Street, Suite 1032
Buffalo, New York 14203-2510
(716) 847-3647 Fax (716) 847-3643
Email: [email protected]
Serving: Allegany, Cattaraugus, Chautauqua, Erie,
Genesee, Niagara, Orleans, Wyoming Counties
GLENS FALLS REGIONAL OFFICE
Jeffrey P. Leonard, Chief Examiner
Office of the State Comptroller
One Broad Street Plaza
Glens Falls, New York 12801-4396
(518) 793-0057 Fax (518) 793-5797
Email: [email protected]
Serving: Albany, Clinton, Essex, Franklin,
Fulton, Hamilton, Montgomery, Rensselaer,
Saratoga, Schenectady, Warren, Washington Counties
HAUPPAUGE REGIONAL OFFICE
Ira McCracken, Chief Examiner
Office of the State Comptroller
NYS Office Building, Room 3A10
Veterans Memorial Highway
Hauppauge, New York 11788-5533
(631) 952-6534 Fax (631) 952-6530
Email: [email protected]
Serving: Nassau and Suffolk Counties
NEWBURGH REGIONAL OFFICE
Christopher Ellis, Chief Examiner
Office of the State Comptroller
33 Airport Center Drive, Suite 103
New Windsor, New York 12553-4725
(845) 567-0858 Fax (845) 567-0080
Email: [email protected]
Serving: Columbia, Dutchess, Greene, Orange,
Putnam, Rockland, Ulster, Westchester Counties
ROCHESTER REGIONAL OFFICE
Edward V. Grant, Jr., Chief Examiner
Office of the State Comptroller
The Powers Building
16 West Main Street Suite 522
Rochester, New York 14614-1608
(585) 454-2460 Fax (585) 454-3545
Email: [email protected]
Serving: Cayuga, Chemung, Livingston, Monroe,
Ontario, Schuyler, Seneca, Steuben, Wayne, Yates Counties
SYRACUSE REGIONAL OFFICE
Rebecca Wilcox, Chief Examiner
Office of the State Comptroller
State Office Building, Room 409
333 E. Washington Street
Syracuse, New York 13202-1428
(315) 428-4192 Fax (315) 426-2119
Email: [email protected]
Serving: Herkimer, Jefferson, Lewis, Madison,
Oneida, Onondaga, Oswego, St. Lawrence Counties
STATEWIDE AND REGIONAL PROJECTS
Ann C. Singer, Chief Examiner
State Office Building - Suite 1702
44 Hawley Street
Binghamton, New York 13901-4417
(607) 721-8306 Fax (607) 721-8313