Institutional Federal Compliance Report 2021

STATE OF NEW YORK

Schedule of Findings and Questioned Costs

March 31, 2019

Cause The condition found is due to the Department’s general information technology controls over change management not properly designed and implemented. Specifically, while management periodically has an independent review of changes to the Cafe system documented through its internal tracking system, a changelog listing from the Cafe system, was unable to be generated that would be compared to the list of changes reviewed from the Department’s to ensure a complete and accurate population was periodically reviewed. Additionally, the Department does not have any compensating controls to mitigate this risk that an unauthorized changed could have occurred as their organization structure does not allow for an appropriate level of segregation of duties between developer and migraters. Further, we noted during our review that although these users have access to both environments, the majority of changes are tested and approved by a select group of individuals in the Grants Finance office of the Department prior to ITS office of the Department migrating the changes into the production environment. In addition, the Department’s Grants Finance office management has indicated that informal reviews are completed related to award identification and period of performance. However, the Department’s Grant Finance office management did not maintain document evidencing the performance of the informal review controls. Possible Asserted Effect Failure to have a reliable GITC environment over change management may result in unauthorized changes being made to the Cafe system which potentially may result in erroneous reliance on the operating effectiveness of automated information technology control over areas of the Cafe system such as period of performance and award notification. Deficiencies in the internal control of GITC resulting in potentially ineffective internal controls over period of performance may result in federal awards being utilized outside of the period allowable under Federal statues, regulations, and the terms and conditions of the federal award. Failure to have effective over award identification may result in federal funds provided under the federal award being used for unauthorized purposes contrary to Federal statues, regulations, and the terms and conditions of the subaward. Questioned Costs None Statistical Sampling The sample was not intended to be, and was not, a statistically valid sample. Recommendation We recommend the Department revise its change management procedures to ensure that changes reviewed from its internal ticketing system are a complete and accurate population periodically reviewed. Alternatively, we recommend the Department implement secondary manual internal controls over period of performance and award notification to further mitigate the risk of federal awards being utilized outside the period of the grant provisions and that subrecipients do not obtain inaccurate award information. Views of Responsible Officials Recommendation accepted. Corrective action in progress. Reference the corrective action plan for further details.

94

(Continued)