NYS Comptroller’s audit criticizes Lloyd
Recently, New York State Office of the Comptroller released their completed 25 page audit on the Town of Lloyd entitled Internal Controls over Selected Financial Operations.
Representatives of NYS Comptroller Thomas DiNapoli reviewed town records from Jan. 1, 2010 through Aug. 4, 2011. Auditors highlighted significant procedural irregularities and a lack of critical policies needed to protect town assets that took place during the administration of former Supervisor Ray Costantino.
The Comptroller’s report stated that audits “identify opportunities for improving operations and Town Board governance. Audits also can identify strategies to reduce costs and to strengthen controls intended to safeguard local government assets.”
The audit posed four key questions: Are internal controls [in Lloyd] over claims auditing appropriately designed and operating effectively? Are internal controls over cash receipts and disbursements appropriately designed and operating effectively? Are internal controls over IT resources appropriately designed and operating effectively and Did the Town comply with the requirement that businesses they contract with carry workers’ compensation and disability insurance?
The audit concluded that the Town Board during the audit time frame did not audit and approve claims as was required, but instead established an audit committee consisting of one Town Board member who reviewed invoices for payment. The audit looked at a sampling of 84 invoices totaling $26,815 and found that the board member failed to audit nine of the 84 invoices, totaling $5,750. The audit noted that one Town Board member, who owns a hardware store, was paid $1,255 in 2010, which exceeded the allowed limit under General Municipal Law by $505. This put him with a prohibited interest in a contract with the town. Councilman Jeff Paladino is the board member who owns a hardware store. The audit recommended that the Town Board not enter into a contract with any officer or employee who has a prohibited interest.
The audit revealed that the town’s electronic banking policy was inadequate because it did not have a required second authorization requirement prior to initiating wire transfers. The audit pointed out that this increased the risk of unauthorized transfers and has the potential for the misuse of funds.
In a sampling of 162 checks, the audit found that 13 of 15 checks, which were not part of the cash disbursement data, were recorded as voided in the town’s financial management system. But the town was not able to produce 12 of the checks because the bookkeeper did not maintain all voided checks due to a lack of adequate storage space. The audit noted that this increases the risk that checks can be lost, stolen or misused.
The audit recommended the Town Board establish written policies and procedures for cash receipts; that disbursements have a second individual assigned for electronic transfers and that the bookkeeper retain all voided checks in sequential order.
The audit stated that the Town Board had no established policy to notify residents when a security breech had occurred with town records. It was also pointed out that the town has no policy of who has authorization for IT remote access, how that access is granted, the method of gaining access and how remote access will be monitored, tracked or controlled. This puts the town in the position of being unprepared to manage breeches and at a higher risk of unauthorized access to systems and data. The audit revealed that the Town Board has no disaster recovery plan in place for data; has not hired a third party IT vendor; nor installed an Intrusion Detection System [IDS] on the town’s server or computers. This leaves the town vulnerable to unauthorized access to confidential information, harmful viruses or files being changed undetected. Without a plan, it was pointed out that in an emergency, there are no guidelines for town personnel to assist in minimizing loss of data and information or how to implement disaster recovery procedures.
The audit stated that the former Supervisor [Costantino] did not install an intrusion detection system because he did not know it was available and that the IT person the town had at the time would not take any action without “explicit instructions” from the Town Board. In addition the audit revealed that user access was not monitored because Costantino “was unaware he could perform this function.” This left the town vulnerable, not only to unauthorized access to confidential information, but to viruses, improper input of data and to undetected changes made to town files.
The audit stated that of 15 vendors they selected for review, only three had the required worker’s compensation insurance form on file. Two others had submitted non-approved forms and no forms were submitted to the town by the remaining 10 vendors. In addition, all 15 vendors failed to submit the required proof of disability insurance form. The audit noted that Costantino’s confidential secretary, Wendy Rosinski, was responsible for collecting and keeping on file all of these forms, including workers compensation forms from those who won bids with the town. Rosinski stated to the auditors that “the Town was not aware that there were specific forms that were approved. In addition, they did not realize they were required to keep these forms on file for all vendors.”
The audit stated that verification of insurance is necessary to ensure that benefits are made available to workers should they be injured. Having the proper paperwork the audit pointed out “levels the playing field” for responsible businesses because they are less likely to be underbid by employers who gain a cost advantage by not carrying insurance. In addition, it reduces the town’s liability in the event of an “accident or injury.” By failing to have the proper forms on file the town was not in compliance with the Worker’s Compensation Law.
The audit stated that Risk Management “is the process of identifying, measuring and monitoring risk, including the risk arising from contractual relationships with IT Service providers.” The audit stated that contracts for IT services are designed “as a means of capturing organizational needs and expectations, and avoiding potential future misunderstandings about the services to be performed. It should establish measurable targets of performance so a common understanding of the nature and level of service required can be achieved.” For the time period examined, the audit stated that the town outsourced their IT services at a cost of $21,900. The town only had a letter stating the rates they were charged and a 100-hour minimum for small business computer consulting services, but with no specificity for what services would be rendered and no delineation of the responsibilities of both parties
“The Supervisor [Costantino] stated that the IT contractor was working for the Town before he took office and the Board did not believe they needed a contract. As a result, the Town does not have a formalized means of capturing organizational needs and expectations, and avoiding potential future misunderstandings about the services to be performed.”
On May 9, 2012, Supervisor Paul Hansut sent a response letter to Christopher Ellis, Chief Examiner of the Newburgh Regional Office of the Office of the NYS Comptroller. Hansut outlined the steps the town has taken since he took office in January 2012 to address the deficiencies highlighted in the audit. New policies for cash receipts and disbursements are being implemented as well as an overhaul of the electronic banking authorizations. A detailed coding of all vouchers will be done and then verified by two Town Board members and then submitted to the bookkeeper for processing and preparation. This will then be presented to the full Town Board for their signatures and approval.
Hansut informed the Comptroller that Lloyd hired Northeast Computer Services to address the “delinquencies in our current policies and procedures,” especially with issues concerning remote access, intrusion detection and password protection.
Hansut also stated that all town departments have been notified in writing on how to obtain and verify that the proper paperwork has been collected on worker’s compensation and certificates of insurance. These will be kept on file in his office and updated when necessary.
Hansut said that he will restate in writing the need to adhere to the provisions in General Municipal Law concerning personal financial interests and public powers in order for officials and employees to avoid conflicts of interest, promising to adhere to the $750 maximum allowed limit.
By Mark Reynolds