MMR - FY20 - AGENCY INTERNAL CONTROLS

• Roam Embed::
  • {{pdf: https://www1.nyc.gov/assets/operations/downloads/pdf/mmr2020/agency_internal_controls.pdf }}
• Obsidian Embed::

• Raw Text::
  • AGENCY INTERNAL CONTROLS | Page 411
  • AGENCY INTERNAL CONTROLS
  • CHARTER INTERNAL CONTROL REPORTING REQUIREMENT
  • Statements on the status of mayoral agencies’ internal control environments and systems for Fiscal 2019 and the actions
  • taken or to be taken to strengthen such systems are set forth below, pursuant to Section 12(c)(3) of the New York City
  • Charter. The Mayor’s Office of Operations compiled these statements based upon reviews of 33 mayoral agencies’ internal
  • control certifications, financial integrity statements, applicable State and City Comptrollers’ audit reports and agency responses to such reports. The heads of those agencies attested to the status of their agencies’ internal control systems with
  • respect to principal operations, including the 13 areas covered by the City Comptroller’s Directive 1 checklist, specifically:
  • effectiveness and efficiency; cash receipts; imprest funds (petty cash); billings and receivables; expenditures and payables;
  • inventory; payroll and personnel; IT controls and procedures; single audit; licenses and permits; violations certificates;
  • leases, concessions and franchises; and internal audit function.
  • SUMMARY STATEMENTS ON THE STATUS OF INTERNAL CONTROL SYSTEMS
  • Agency head reporting indicate that their systems of internal control, taken as a whole, are sufficient to meet the City’s
  • internal control objectives of maximizing the effectiveness and integrity of operations and reducing vulnerability to waste,
  • abuse and other errors or irregularities. Certain agencies identified inefficiencies, which are covered below. The covered
  • agencies are committed to pursuing applicable corrective actions and continuing to monitor their internal control systems.
  • Administration for Children’s Services
  • The Administration for Children’s Services (ACS) reports continuation of activities with respect to oversight and enhancement of its system of internal controls. These activities include ongoing efforts with respect to updating information
  • technology system controls and security to align with written policies, procedures and best practices. In addition, ACS
  • reports ongoing efforts to formalize and develop written policies and procedures with respect to child safety and welfare,
  • under the guidance of federal, state, and local oversight. ACS will continue its course of corrective action and will monitor
  • its overall internal control environment through its internal audit group, external audit follow-up and use of information
  • technology systems.
  • City Commission on Human Rights
  • The City Commission on Human Rights (CCHR) reports continued oversight with respect to its system of internal controls,
  • including continued efforts to enhance the segregation of duties across program areas. CCHR will continue to monitor its
  • internal control environment through continuous self-assessments and agency management reviews.
  • Civilian Complaint Review Board
  • The Civilian Complaint Review Board (CCRB) reports continued activities to further enhance its internal control environment, including continued efforts with respect to the segregation of responsibilities as well as the implementation of
  • compensating controls over inventory as resources allow. In addition, CCRB reports the development and maintenance of
  • written policies for its operating units. CCRB will continue to take appropriate corrective actions and will monitor its overall
  • system of internal controls environment through internal audits.
  • Department of Buildings
  • The Department of Buildings (DOB) reports the continuation of oversight with respect to its system of internal controls.
  • In particular, DOB reports ongoing review of current operations and implementation of procedural changes, updating
  • technology to support data classification and encryption, development of disaster recovery plans, and measures relative to
  • invoice and voucher processing. The agency will continue its course of corrective action with the objective of maximizing
  • the effectiveness and integrity of operations while reducing the vulnerability of agency waste, abuse, errors or irregularities
  • through ongoing monitoring of its internal control systems, internal audits, and external audit follow-up activity and risk
  • assessments.
  • Page 412 | MAYOR’S MANAGEMENT REPORT
  • Department of City Planning
  • The Department of City Planning (DCP) reports ongoing oversight of its system of internal controls to ensure effective and
  • efficient agency operations. DCP will continue to monitor its internal control environment through risk assessment, followup on external audits and by conducting management reviews.
  • Department of Citywide Administrative Services
  • The Department of Citywide Administrative Services (DCAS) reports continuation of activities to further strengthen its
  • system of internal controls, including measures to protect private and confidential data, revision of inventory policies and
  • procedures, as well as the performance of annual inventories. DCAS will continue to monitor its overall internal control
  • environment through internal audits, follow-up on external audits, and risk assessments.
  • Department of Consumer Affairs
  • The Department of Consumer Affairs (DCA) reports ongoing oversight and activities maintaining its internal control environment. DCA will continue to monitor its overall system of internal controls through internal process reviews and followup on external audits.
  • Department of Correction
  • The Department of Correction (DOC) reports continued efforts and progress to further enhance its system of internal
  • controls. In particular, the agency reports measures to strengthen Information Security policies and standards, completed
  • WiFi coverage to support staff and inmate devices, the completion of phase one of its Investigative Case Management
  • System, and the implementation of random inventory counts. DOC will continue its course of corrective action and monitor its overall internal control environment through internal audits, external audit follow-up, risk assessments and agency
  • management reviews.
  • Department of Cultural Affairs
  • The Department of Cultural Affairs (DCLA) reports ongoing oversight and activities with respect to its internal control environment, including the utilization and update of technological systems for effective monitoring of internal controls and
  • financial accountability. DCLA will continue to monitor its overall internal control environment through internal reviews and
  • the use of information technology.
  • Department of Design and Construction
  • The Department of Design and Construction (DDC) reports continued strengthening of its internal control environment.
  • Specifically, DDC reports continued improvements in the areas of inspections, public surveys to evaluate client and resident
  • satisfaction, staff training, and comprehensive audits covering construction projects to further improve site safety and work
  • quality. Additionally, DDC reports implementation of automated systems that improve tracking and management of communications and documentation associated with certain information requests for contracts and payments. The agency will
  • continue the present course of action with the objective of maximizing the effectiveness and integrity of agency operations
  • and reducing the vulnerability of agency waste, abuse, errors, or irregularities, and will monitor its overall internal control
  • environment through internal audits, external audit follow-up and risk assessments.
  • Department of Environmental Protection
  • The Department of Environmental Protection (DEP) reports continuation of activities with respect to oversight and enhancement of its system of internal controls. Specifically, the agency reports ongoing efforts to strengthen the segregation
  • of duties and has implemented computerized maintenance management systems with inventory control modules that support water resource recovery facilities. DEP also reports ongoing improvements relative to asset management and inventory
  • controls for computers and related equipment. The agency will continue to monitor its overall internal control environment
  • through risk assessments, internal audits, and external audit follow-up.
  • AGENCY INTERNAL CONTROLS | Page 413
  • Department of Finance
  • The Department of Finance (DOF) reports oversight and enhancements with respect to its system of internal controls, including deployment of a multifactor authentication solution for remote access, enforcement of a password security policy
  • including review of administrator accounts. In addition, DOF reports the establishment of additional safeguards and certification programs relative to file access, as well as the development of policies and procedures with respect to the segregation of duties and computer security. DOF will continue its course of corrective action and will monitor its overall internal
  • control environment through internal audits, external audit follow-up, and risk assessments.
  • Department for the Aging
  • The Department for the Aging (DFTA) reports ongoing oversight of its system of internal controls, including further progress with respect to enhanced reporting and tracking abilities through the agency’s Senior Tracking Analysis and Reporting
  • System (STARS). DFTA will continue its course of corrective action and will monitor its overall internal control environment
  • by conducting program fiscal compliance audits, external audit follow-up activity, and risk assessments.
  • Department of Health and Mental Hygiene
  • The Department of Health and Mental Hygiene (DOHMH) reports further enhancements with respect to its system of internal controls. The agency reports continued upgrades its Revenue Management System to automate State Aid claiming
  • and to improve reporting. In addition, DOHMH continued to strengthen its cybersecurity controls with respect to updated
  • policies and procedures, ongoing monitoring, and user security awareness training. Further, DOHMH continued to enhance
  • multi-factor authentication, data encryption, backup and disaster recovery. DOHMH will continue to monitor its overall
  • internal control environment through internal audits, follow-up on external audits, self-assessments and internal management reporting systems.
  • Department of homeless Services
  • The Department of homeless Services (DHS) reports ongoing oversight with respect to its internal control environment,
  • including continued efforts on standardized policies and procedures and the development of robust performance metrics
  • for street homelessness, as well as network connection data security and encryption. DHS will continue its course of corrective action and monitor its overall internal control environment through the Department of Social Services’ Office of
  • Program Accountability.
  • Department of Housing Preservation and Development
  • The Department of Housing Preservation and Development (HPD) reports continuation of activities to strengthen its internal control environment, including further efforts in recordkeeping with respect to capital assets, as well as periodic assessment and development of written policies and procedures for write-offs impacting major program areas. HPD will continue
  • its course of corrective action and monitor the overall internal control environment through follow-up of corrective action
  • plans and conducting management reviews.
  • Department of Information Technology and Telecommunications
  • The Department of Information Technology and Telecommunications (DOITT) reports continued oversight with respect to
  • its system of internal controls, including efforts to comply with new information technology requirements and expanding
  • cybersecurity protections. DOITT will continue to monitor its internal control environment through oversight, external audit
  • follow-up and information technology.
  • Department of Investigation
  • The Department of Investigation (DOI) reports the ongoing activities and oversight with respect to its internal control environment, including continuous improvements of cybersecurity policies and standards. DOI will continue to monitor its
  • system of internal controls through its internal audit group and the use of information technology.
  • Page 414 | MAYOR’S MANAGEMENT REPORT
  • Department of Parks and Recreation
  • The Department of Parks and Recreation (DPR) reports continued activities and oversight to further strengthen its system
  • of internal controls. In particular, the agency reports continued efforts to segregate duties in the areas of cash receipts and
  • inventory management, formally document policies and procedures specific to agency operations, and adopted the use of
  • a digital scanning system for the deposit of cash receipts. DPR will continue its course of corrective action and monitor its
  • overall internal control environment through internal audits, risk assessments, and external audit follow-up.
  • Department of Probation
  • The Department of Probation (DOP) reports ongoing oversight with respect to its internal control environment, including measures to enhance quarterly performance management meetings and reports to senior managers from each borough. The agency continues to implement best practices with respect to individual assessments, case conferencing, and
  • documentation reviews, to strengthen supervision plans. These activities include formal training, internal quality assurance
  • checks, targeted accountability reviews, and routine data integrity exercises. DOP will continue to monitor its internal control environment through its internal audit group and management reviews.
  • Department of Records and Information Services
  • The Department of Records and Information Services reports ongoing oversight to further strengthen its internal control
  • environment, including actions with respect to measuring effectiveness, commitment to staff training, implementation of
  • policies with regard to maintenance of procurement records in digital format, and continued enforcement of its policy regarding non-public spaces. The Department of Records and Information Services will continue to monitor its overall internal
  • control environment through external follow-up and the use of information technology reviews.
  • Department of Sanitation
  • The Department of Sanitation (DSNY) reports ongoing oversight and enhancements with respect to its system of internal
  • controls. In particular, the agency reports continued efforts to contribute to a safe and secure computing environment
  • including ongoing updates and addition of systems and resources, continued efforts toward implementing a centralized
  • event logging system, work to enhance vulnerability management and patching systems, and installation of multi-factor
  • authentication practices. Further, DSNY reports continued distribution of applications remotely, consolidated data and inventory to centralize assets, completed an agency-wide physical inventory inspection, implemented a warranty verification
  • and return process for equipment, and enhanced personnel policies and procedures. DSNY will continue to monitor its internal control environment through internal audits, self-inspections, risk assessments, and external audit follow-up activity.
  • Department of Small Business Services
  • The Department of Small Business Services reports continued oversight with respect to its system of internal controls, including monitoring and improvement of the multi-factor authentication relative to remote access. The agency will continue
  • to monitor its system of internal controls through internal audits and management recommendations.
  • Department of Transportation
  • The Department of Transportation (DOT) reports continued oversight and monitoring activities contributing to the overall
  • effectiveness and efficiency of its system of internal controls. Specifically, the implementation of security and access controls within the information technology environment as well as ongoing efforts to strengthen controls over grants compliance. DOT will continue to monitor its internal control environment through internal and external audits, the implementation of corrective actions, and management reviews.
  • Department of Youth and Community Development
  • The Department of Youth and Community Development (DYCD) reports the continuation of oversight and monitoring of
  • its system of internal controls. These actions include ongoing work to build upon existing systems designed to improve
  • efficiency and enhance internal controls, as well as continued commitment to staff training to enhance fiscal integrity.
  • DYCD will continue to monitor its internal control environment through internal audits, risk assessments, and external audit
  • follow-up.
  • AGENCY INTERNAL CONTROLS | Page 415
  • Fire Department
  • The Fire Department (FDNY) reports ongoing activities to strengthen its internal control environment. Specifically, the
  • agency reports continued improvement in the areas of information technology controls and procedures with specific focus
  • on planning and governance, application development security, data classification and management, internet connectivity,
  • and disaster recovery. FDNY will continue its course of corrective action and monitor its overall internal control environment
  • through internal audits, risk assessments, and external audit activity.
  • Human Resources Administration
  • The Human Resources Administration (HRA) reports continuation of activities to further enhance its system of internal controls. The agency reports the development of written policies and guidance with respect to supportive affordable housing,
  • continued efforts to enhance constituent service interactions, measures to strengthen inventory management operations,
  • as well as network connection data security and encryption. HRA will continue its course of corrective action and will monitor its overall internal control environment through its Office of Program Accountability.
  • Landmarks Preservation Commission
  • The Landmarks Preservation Commission (LPC) reports further review and enhancement of programs and policies with
  • respect to its internal control environment. LPC will continue to monitor its system of internal controls.
  • Law Department
  • The Law Department reports continued compliance with respect to the operation of its system of internal controls, including efforts implementing multi-factor authentication for remote access as well as the development of policies and
  • procedures relative to incident response and log management standards. The agency will continue to monitor its overall
  • internal control environment through internal audit unit activity, information technology controls, external audit follow-up,
  • and management reviews.
  • Police Department
  • The New York City Police Department (NYPD) reports continued oversight with respect to its system of internal controls
  • with the objective of maximizing the effectiveness and integrity of agency operations. The agency reports ongoing efforts relative to the implementation of processes for encrypting all local hard drives as well as the development of incident
  • response and management procedures. The NYPD will continue to monitor its internal control environment through its
  • Information Technology Bureau, Internal Affairs Bureau, Risk Management Bureau, Fiscal Accountability Unit, and Integrity
  • Control Officers.
  • Taxi and Limousine Commission
  • The Taxi and Limousine Commission (TLC) reports continued oversight with respect to operations of its internal control
  • environment, including ongoing processes of reviewing and updating operating procedures as well as efforts to implement
  • multi-factor authentication. Through the Finance and Administration Division, TLC will continue to monitor its internal
  • control environment based on management and performance reviews, policies and procedures, external audit follow-up
  • activity, and information technology.
  • Business Integrity Commission
  • The Business Integrity Commission (BIC) again reports the continuation of activities with respect to the review and oversight of its system of internal controls, including corrective actions to improve its internal processes and strengthen its safeguards with respect to securing and depositing fees received as well as the segregation of duties. The agency will continue
  • to monitor its internal control environment through internal audits, information technology controls and reporting.
  • New York City Emergency Management
  • New York City Emergency Management reports ongoing oversight to further strengthen its system of internal controls by
  • conducting routine self-assessments, as well as exploring an inventory database to help ensure completeness and accuracy.
  • The agency will continue to monitor its internal control environment through internal reviews and external audit follow-up.
  • Page 416 | MAYOR’S MANAGEMENT REPORT