Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

unable to provide evidence that users, when terminated, were timely removed from the system to limit its access to modify data. Possible Asserted Effect Failure to have a reliable general information technology environment over logical access may result in unauthorized changes being made to the NYWIC system, which may result in erroneous reliance on the operating effectiveness of automated information technology controls over allowability and eligibility of beneficiary payments. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Department correct deficiencies identified in the NYWIC application and supporting infrastructure environments to ensure its ability to rely on automated information technology controls. • We recommend that management implement an annual user access review with emphasis on the completeness and accuracy of the listing of users being reviewed. • We recommend that management review and update the policies and procedures for deprovisioning with an emphasis on the retention of systematic evidence over the process of timely removals. • We recommend that management review and update policies and procedures for backup/batch jobs with an emphasis on the retention of systematic evidence over job monitoring for backup/batch jobs. Views of Responsible Officials Recommendation accepted. Corrective action in progress. Reference the corrective action plan for further details.

81

(Continued)