The Office of the State Comptroller recently released its audit of the Pomona stadium project with some very interesting results. In addition to broad financial matters, the audit investigated internal controls over selected financial activities and IT systems.
The comptroller’s initial audit alleged that out of approximately 220 town computers that 161 computers were being using for non-work related sites such as porn sites, dating sites, and social media, even though the town has Internet content filters on its network servers to block access to certain websites. Out of the 161 they further tested six and found additional usage of Ebay.com, HSN.com shopping sites, Match.com, and turbo tax.com, for personal tax use.
Ramapo replied that it was all a big misunderstanding, and that an “html” can be registered without users ever visiting the site, and further, there was no way to know how long a user was on a particular site. The auditors recommended that Ramapo implement changes and give a “Security Awareness Training” session to employees. As of this audit, the board has done none of this.
The audit continues with the security of the town’s online banking system. Auditors claim the employees are able to access the town’s banking with desktop shortcuts, and that workers were not cleaning out any temporary Internet files cached on the computers, thus increasing the risk of unauthorized access. The auditors indicate that town funds are at risk of cyber fraud activities and alarmingly, that residents of Ramapo are at risk for their personal, private or sensitive information to be breached.
Ramapo again said this charge is overdrawn and that their IT security has never been bypassed.
Town personnel collect social security numbers, driver’s license numbers and bank account information for business purposes; however the town has not adopted a formal breach notification policy, nor even classified its data according to risk, Comptroller DiNapoli’s Office said. The law requires them to have a notification policy.
Ramapo claimed to be unaware of such a requirement. However since the first phase of the audit the town is working on it.
The audit found that the “auto complete” feature in Internet Explorer which saves passwords, usernames and login information was “enabled” on some easily accessed workstations. The audit also said that the town’s online banking computer had the featured “enabled: This means that with only the first letter of the password, the whole password appeared.
As a result the auditors said the town is at risk that an unauthorized user could sign on and access the bank information. When the town was notified they disabled the auto complete, the comptroller’s report said. The question is how long was that happening? When an employee leaves, the town also did not update their user accounts. Out of 496 network user accounts, 66 users of the town’s financial software had left the town service, but still had access. When the town was informed action was taken to deactivate the users.
In response to the above audit comments, the Town of Ramapo’s official response was that no breaches have occurred, the audit exaggerates the significance of the “auto complete” setting risk, access by former employees to town computers is simply not so, most are deactivated promptly, and the use of the computers for personal likes is greatly exaggerated. “We unequivocally state that none of our users intentionally visited pornographic sites. The auditors did not consider the fact that some sites visited were the result of police investigations,” the town’s response reads.
The audit explains that the result of Ramapo‘s transferring land for the Pomona baseball field may leave Ramapo with a $60 million dollar bill when all is said and done. Even though residents voted down the financing of the project, the town transferred land worth $8.4 million dollars to its Local Development Corporation (LDC) which is technically a private, not for profit corporation, upon which St. Lawrence sits as president.
After this the town spent an additional $27 million on improvements. St. Lawrence claims the actual amount is half that.
The comptroller found that the town agreed to serve as a loan guarantor for the bonds totaling another $25 million for the baseball stadium when it is apparent that the RLDC would be unable to obtain financing. As a result the town is most likely on the hook for $27 million in bond payments over the next five years, when the stadium’s estimated revenue will only generate $7 million, the comptroller’s audit said.
The Ramapo Town Board has the fiduciary responsibility for town assets and finances an obligation to serve the community, protect taxpayers’ interests, and exercise in good faith and due diligence. This also includes establishing a sound internal control environment. An important component of any system internal controls is the control environment or “tone at the top.”
The audit found that the town board did not exercise effective oversight of the town. They did not establish policies nor oversee the town’s financial operations. Ramapo board members’ response was to say that they received no financial reports, including the baseball stadium expenditures.
That they made decisions based on representations from the town attorney and Supervisor Christopher St. Lawrence.