Institutional Federal Compliance Report 2021

CORRECTIVE ACTION PLAN Single Audit of Federal Programs for State Fiscal Year Ended March 31, 2019

State Agency:

Office of General Services

Single Audit Contact:

Theresa Bonneau

Title:

Director of Internal Audit

Telephone:

(518) 402-5846

E-mail Address:

theresa.bonneau@ogs.ny.gov

Federal Program(s) (CFDA # [s]): Special Supplemental Nutrition Program for Women, Infants, and Children (10.557) Child Care and Development Fund Cluster (93.575, 93.596) Block Grant for Prevention and Treatment of Substance Abuse (93.959) Maternal and Child Health Services Block Grant to the States (93.994) Unemployment Insurance (17.225) Audit Report Reference: 2019-040 . Anticipated Completion Date: 9/30/2020 Corrective Action Planned: OGS agrees and will establish and execute an annual, risk- based user access review. Implementation Dates: Approximately one quarter of the ~45,000 LATS-NY users on December 31, 2019, March 31, 2020, June 30, 2020, and September 30, 2020. Corrective Action Plan: OGS agrees. OGS will articulate in its future contracts with CMA, the requirement for establishing and maintaining appropriate General Information Technology Controls over LATS-NY. Additionally, OGS directed CMA, and CMA agreed, to implement stronger controls over code development and migration going forward. Specifically, CMA has set up the Splunk utility to monitor the Production Web site folders and send out alerts to specified individuals as well as a restricted audit folder when any files in the Web folder (web pages, config files, DLL) have been added, deleted or modified. The alert identifies the file, who and when the push was made. This information is retained for scheduled releases, but more importantly will alert the CMA team if any unauthorized or unscheduled changes are pushed out to a web site. This will permit CMA to capture and, if necessary, otherwise address/rectify such unauthorized actions. Additionally, CMA will implement an additional control to