Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

Recommendation We recommend the Department review their policies and procedures to ensure it includes appropriate review of SOC 1 reports relied upon for compliance, including ensuring effective CUECs are in place as required by the service organization to achieve the control objectives. Additionally, due to the significant gap between the SOC1 report date and the State’s fiscal year end, nine months (June 30–March 31), we recommend the Department ensure consistent communication with the service organization in relation to changes from the latest report. The Department should be made aware changes such as processes and information systems, key personnel, design, or implementation of controls that were necessary to achieve the control objectives, reports or other data received, contracts or service level agreements, and errors identified in the service organization’s processing or incidents of noncompliance with laws and regulations or fraud. Views of Responsible Officials Recommendation accepted. Corrective action in progress. Reference the corrective action plan for further details.

79

(Continued)