Statements on the status of mayoral agencies’ internal control environments and systems for Fiscal 2019 and the actions
taken or to be taken to strengthen such systems are set forth below, pursuant to Section 12(c)(3) of the New York City
Charter. The Mayor’s Office of Operations compiled these statements based upon reviews of 33 mayoral agencies’ internal
control certifications, financial integrity statements, applicable State and City Comptrollers’ audit reports and agency responses to such reports. The heads of those agencies attested to the status of their agencies’ internal control systems with
respect to principal operations, including the 13 areas covered by the City Comptroller’s Directive 1 checklist, specifically:
effectiveness and efficiency; cash receipts; imprest funds (petty cash); billings and receivables; expenditures and payables;
inventory; payroll and personnel; IT controls and procedures; single audit; licenses and permits; violations certificates;
leases, concessions and franchises; and internal audit function.
SUMMARY STATEMENTS ON THE STATUS OF INTERNAL CONTROL SYSTEMS
Agency head reporting indicate that their systems of internal control, taken as a whole, are sufficient to meet the City’s
internal control objectives of maximizing the effectiveness and integrity of operations and reducing vulnerability to waste,
abuse and other errors or irregularities. Certain agencies identified inefficiencies, which are covered below. The covered
agencies are committed to pursuing applicable corrective actions and continuing to monitor their internal control systems.
Administration for Children’s Services
The Administration for Children’s Services (ACS) reports continuation of activities with respect to oversight and enhancement of its system of internal controls. These activities include ongoing efforts with respect to updating information
technology system controls and security to align with written policies, procedures and best practices. In addition, ACS
reports ongoing efforts to formalize and develop written policies and procedures with respect to child safety and welfare,
under the guidance of federal, state, and local oversight. ACS will continue its course of corrective action and will monitor
its overall internal control environment through its internal audit group, external audit follow-up and use of information
technology systems.
City Commission on Human Rights
The City Commission on Human Rights (CCHR) reports continued oversight with respect to its system of internal controls,
including continued efforts to enhance the segregation of duties across program areas. CCHR will continue to monitor its
internal control environment through continuous self-assessments and agency management reviews.
Civilian Complaint Review Board
The Civilian Complaint Review Board (CCRB) reports continued activities to further enhance its internal control environment, including continued efforts with respect to the segregation of responsibilities as well as the implementation of
compensating controls over inventory as resources allow. In addition, CCRB reports the development and maintenance of
written policies for its operating units. CCRB will continue to take appropriate corrective actions and will monitor its overall
system of internal controls environment through internal audits.
Department of Buildings
The Department of Buildings (DOB) reports the continuation of oversight with respect to its system of internal controls.
In particular, DOB reports ongoing review of current operations and implementation of procedural changes, updating
technology to support data classification and encryption, development of disaster recovery plans, and measures relative to
invoice and voucher processing. The agency will continue its course of corrective action with the objective of maximizing
the effectiveness and integrity of operations while reducing the vulnerability of agency waste, abuse, errors or irregularities
through ongoing monitoring of its internal control systems, internal audits, and external audit follow-up activity and risk
assessments.
Page 412 | MAYOR’S MANAGEMENT REPORT
Department of City Planning
The Department of City Planning (DCP) reports ongoing oversight of its system of internal controls to ensure effective and
efficient agency operations. DCP will continue to monitor its internal control environment through risk assessment, followup on external audits and by conducting management reviews.
Department of Citywide Administrative Services
The Department of Citywide Administrative Services (DCAS) reports continuation of activities to further strengthen its
system of internal controls, including measures to protect private and confidential data, revision of inventory policies and
procedures, as well as the performance of annual inventories. DCAS will continue to monitor its overall internal control
environment through internal audits, follow-up on external audits, and risk assessments.
Department of Consumer Affairs
The Department of Consumer Affairs (DCA) reports ongoing oversight and activities maintaining its internal control environment. DCA will continue to monitor its overall system of internal controls through internal process reviews and followup on external audits.
Department of Correction
The Department of Correction (DOC) reports continued efforts and progress to further enhance its system of internal
controls. In particular, the agency reports measures to strengthen Information Security policies and standards, completed
WiFi coverage to support staff and inmate devices, the completion of phase one of its Investigative Case Management
System, and the implementation of random inventory counts. DOC will continue its course of corrective action and monitor its overall internal control environment through internal audits, external audit follow-up, risk assessments and agency
management reviews.
Department of Cultural Affairs
The Department of Cultural Affairs (DCLA) reports ongoing oversight and activities with respect to its internal control environment, including the utilization and update of technological systems for effective monitoring of internal controls and
financial accountability. DCLA will continue to monitor its overall internal control environment through internal reviews and
the use of information technology.
Department of Design and Construction
The Department of Design and Construction (DDC) reports continued strengthening of its internal control environment.
Specifically, DDC reports continued improvements in the areas of inspections, public surveys to evaluate client and resident
satisfaction, staff training, and comprehensive audits covering construction projects to further improve site safety and work
quality. Additionally, DDC reports implementation of automated systems that improve tracking and management of communications and documentation associated with certain information requests for contracts and payments. The agency will
continue the present course of action with the objective of maximizing the effectiveness and integrity of agency operations
and reducing the vulnerability of agency waste, abuse, errors, or irregularities, and will monitor its overall internal control
environment through internal audits, external audit follow-up and risk assessments.
Department of Environmental Protection
The Department of Environmental Protection (DEP) reports continuation of activities with respect to oversight and enhancement of its system of internal controls. Specifically, the agency reports ongoing efforts to strengthen the segregation
of duties and has implemented computerized maintenance management systems with inventory control modules that support water resource recovery facilities. DEP also reports ongoing improvements relative to asset management and inventory
controls for computers and related equipment. The agency will continue to monitor its overall internal control environment
through risk assessments, internal audits, and external audit follow-up.
AGENCY INTERNAL CONTROLS | Page 413
Department of Finance
The Department of Finance (DOF) reports oversight and enhancements with respect to its system of internal controls, including deployment of a multifactor authentication solution for remote access, enforcement of a password security policy
including review of administrator accounts. In addition, DOF reports the establishment of additional safeguards and certification programs relative to file access, as well as the development of policies and procedures with respect to the segregation of duties and computer security. DOF will continue its course of corrective action and will monitor its overall internal
control environment through internal audits, external audit follow-up, and risk assessments.
Department for the Aging
The Department for the Aging (DFTA) reports ongoing oversight of its system of internal controls, including further progress with respect to enhanced reporting and tracking abilities through the agency’s Senior Tracking Analysis and Reporting
System (STARS). DFTA will continue its course of corrective action and will monitor its overall internal control environment
by conducting program fiscal compliance audits, external audit follow-up activity, and risk assessments.
Department of Health and Mental Hygiene
The Department of Health and Mental Hygiene (DOHMH) reports further enhancements with respect to its system of internal controls. The agency reports continued upgrades its Revenue Management System to automate State Aid claiming
and to improve reporting. In addition, DOHMH continued to strengthen its cybersecurity controls with respect to updated
policies and procedures, ongoing monitoring, and user security awareness training. Further, DOHMH continued to enhance
multi-factor authentication, data encryption, backup and disaster recovery. DOHMH will continue to monitor its overall
internal control environment through internal audits, follow-up on external audits, self-assessments and internal management reporting systems.
Department of homeless Services
The Department of homeless Services (DHS) reports ongoing oversight with respect to its internal control environment,
including continued efforts on standardized policies and procedures and the development of robust performance metrics
for street homelessness, as well as network connection data security and encryption. DHS will continue its course of corrective action and monitor its overall internal control environment through the Department of Social Services’ Office of
Program Accountability.
Department of Housing Preservation and Development
The Department of Housing Preservation and Development (HPD) reports continuation of activities to strengthen its internal control environment, including further efforts in recordkeeping with respect to capital assets, as well as periodic assessment and development of written policies and procedures for write-offs impacting major program areas. HPD will continue
its course of corrective action and monitor the overall internal control environment through follow-up of corrective action
plans and conducting management reviews.
Department of Information Technology and Telecommunications
The Department of Information Technology and Telecommunications (DOITT) reports continued oversight with respect to
its system of internal controls, including efforts to comply with new information technology requirements and expanding
cybersecurity protections. DOITT will continue to monitor its internal control environment through oversight, external audit
follow-up and information technology.
Department of Investigation
The Department of Investigation (DOI) reports the ongoing activities and oversight with respect to its internal control environment, including continuous improvements of cybersecurity policies and standards. DOI will continue to monitor its
system of internal controls through its internal audit group and the use of information technology.
Page 414 | MAYOR’S MANAGEMENT REPORT
Department of Parks and Recreation
The Department of Parks and Recreation (DPR) reports continued activities and oversight to further strengthen its system
of internal controls. In particular, the agency reports continued efforts to segregate duties in the areas of cash receipts and
inventory management, formally document policies and procedures specific to agency operations, and adopted the use of
a digital scanning system for the deposit of cash receipts. DPR will continue its course of corrective action and monitor its
overall internal control environment through internal audits, risk assessments, and external audit follow-up.
Department of Probation
The Department of Probation (DOP) reports ongoing oversight with respect to its internal control environment, including measures to enhance quarterly performance management meetings and reports to senior managers from each borough. The agency continues to implement best practices with respect to individual assessments, case conferencing, and
documentation reviews, to strengthen supervision plans. These activities include formal training, internal quality assurance
checks, targeted accountability reviews, and routine data integrity exercises. DOP will continue to monitor its internal control environment through its internal audit group and management reviews.
Department of Records and Information Services
The Department of Records and Information Services reports ongoing oversight to further strengthen its internal control
environment, including actions with respect to measuring effectiveness, commitment to staff training, implementation of
policies with regard to maintenance of procurement records in digital format, and continued enforcement of its policy regarding non-public spaces. The Department of Records and Information Services will continue to monitor its overall internal
control environment through external follow-up and the use of information technology reviews.
Department of Sanitation
The Department of Sanitation (DSNY) reports ongoing oversight and enhancements with respect to its system of internal
controls. In particular, the agency reports continued efforts to contribute to a safe and secure computing environment
including ongoing updates and addition of systems and resources, continued efforts toward implementing a centralized
event logging system, work to enhance vulnerability management and patching systems, and installation of multi-factor
authentication practices. Further, DSNY reports continued distribution of applications remotely, consolidated data and inventory to centralize assets, completed an agency-wide physical inventory inspection, implemented a warranty verification
and return process for equipment, and enhanced personnel policies and procedures. DSNY will continue to monitor its internal control environment through internal audits, self-inspections, risk assessments, and external audit follow-up activity.
Department of Small Business Services
The Department of Small Business Services reports continued oversight with respect to its system of internal controls, including monitoring and improvement of the multi-factor authentication relative to remote access. The agency will continue
to monitor its system of internal controls through internal audits and management recommendations.
Department of Transportation
The Department of Transportation (DOT) reports continued oversight and monitoring activities contributing to the overall
effectiveness and efficiency of its system of internal controls. Specifically, the implementation of security and access controls within the information technology environment as well as ongoing efforts to strengthen controls over grants compliance. DOT will continue to monitor its internal control environment through internal and external audits, the implementation of corrective actions, and management reviews.
Department of Youth and Community Development
The Department of Youth and Community Development (DYCD) reports the continuation of oversight and monitoring of
its system of internal controls. These actions include ongoing work to build upon existing systems designed to improve
efficiency and enhance internal controls, as well as continued commitment to staff training to enhance fiscal integrity.
DYCD will continue to monitor its internal control environment through internal audits, risk assessments, and external audit
follow-up.
AGENCY INTERNAL CONTROLS | Page 415
Fire Department
The Fire Department (FDNY) reports ongoing activities to strengthen its internal control environment. Specifically, the
agency reports continued improvement in the areas of information technology controls and procedures with specific focus
on planning and governance, application development security, data classification and management, internet connectivity,
and disaster recovery. FDNY will continue its course of corrective action and monitor its overall internal control environment
through internal audits, risk assessments, and external audit activity.
Human Resources Administration
The Human Resources Administration (HRA) reports continuation of activities to further enhance its system of internal controls. The agency reports the development of written policies and guidance with respect to supportive affordable housing,
continued efforts to enhance constituent service interactions, measures to strengthen inventory management operations,
as well as network connection data security and encryption. HRA will continue its course of corrective action and will monitor its overall internal control environment through its Office of Program Accountability.
Landmarks Preservation Commission
The Landmarks Preservation Commission (LPC) reports further review and enhancement of programs and policies with
respect to its internal control environment. LPC will continue to monitor its system of internal controls.
Law Department
The Law Department reports continued compliance with respect to the operation of its system of internal controls, including efforts implementing multi-factor authentication for remote access as well as the development of policies and
procedures relative to incident response and log management standards. The agency will continue to monitor its overall
internal control environment through internal audit unit activity, information technology controls, external audit follow-up,
and management reviews.
Police Department
The New York City Police Department (NYPD) reports continued oversight with respect to its system of internal controls
with the objective of maximizing the effectiveness and integrity of agency operations. The agency reports ongoing efforts relative to the implementation of processes for encrypting all local hard drives as well as the development of incident
response and management procedures. The NYPD will continue to monitor its internal control environment through its
Information Technology Bureau, Internal Affairs Bureau, Risk Management Bureau, Fiscal Accountability Unit, and Integrity
Control Officers.
Taxi and Limousine Commission
The Taxi and Limousine Commission (TLC) reports continued oversight with respect to operations of its internal control
environment, including ongoing processes of reviewing and updating operating procedures as well as efforts to implement
multi-factor authentication. Through the Finance and Administration Division, TLC will continue to monitor its internal
control environment based on management and performance reviews, policies and procedures, external audit follow-up
activity, and information technology.
Business Integrity Commission
The Business Integrity Commission (BIC) again reports the continuation of activities with respect to the review and oversight of its system of internal controls, including corrective actions to improve its internal processes and strengthen its safeguards with respect to securing and depositing fees received as well as the segregation of duties. The agency will continue
to monitor its internal control environment through internal audits, information technology controls and reporting.
New York City Emergency Management
New York City Emergency Management reports ongoing oversight to further strengthen its system of internal controls by
conducting routine self-assessments, as well as exploring an inventory database to help ensure completeness and accuracy.
The agency will continue to monitor its internal control environment through internal reviews and external audit follow-up.