The audit of city finances by the NYS Comptroller (released May 2013) included, in addition to the principal 26 page financial review, a confidential seven page letter called, “The IT letter.” That would be “I” for information and “T” for technology. The letter was sent to “City Officials” and was dated April 3, 2013.
That seven page document took a hard and detailed look at the city’s “weaknesses in your information and technology controls.”
In other words the letter/audit critiqued the lack of security of the city’s computer system and financial system. The upshot of the seven page finding was that the city’s computer/finance system was wide-open to attack or manipulation from both inside city hall and outside city hall.
The Reporter wants to emphasize that the IT document was deemed to be confidential and as such it was not publicly released, as was the 26-page audit. Instead it was held back as a need to know document. The Reporter has read the IT document.
The Reporter, fully aware of the sensitive nature of this IT audit, does not want to publish any portion of the IT audit that could harm the City.
And so those portions of the IT audit contained in this article are relatively white bread as the IT audit goes.
In fact the principal 26-page City audit itself contains surprising, if not shocking, publicly released information regarding the porous nature of the city’s finance and computer systems.
As we have written many times previously the 26 page city audit is available online through the NYS Comptroller’s website.
The IT audit is not available anywhere as far as we know. (Search simply online for the 26-page audit titled, “City of Niagara Falls Financial Management and Information Technology Report of Examination Period Covered January 1, 2009 – January 9, 2013.”)
While the State posted the 26-page report online the city has not posted the report.
Did the city formally respond to the 26-page May 2013 audit? We don’t know.
Did the city formally respond to the April 3, 2013 IT audit/letter? We don’t know.
Some quotes from the IT letter:
Page 1, April 3, 2013 cover letter)
Dear City Officials:
In conjunction with our audit of the City of Niagara Falls (City), we identified, weaknesses in your information technology security controls…due to the sensitive nature of these findings, we have excluded them from our audit report because of security concerns.
Page 2
“Password settings at the City are weak…without adequate password controls, unauthorized users could obtain and user passwords to gain access to the City’s computer network and applications…City officials have increased the risk of unauthorized individuals accessing critical business applications. Compromised accounts can be leveraged for internal or external attacks against the network and can result in the loss, manipulation, or corruption of sensitive data.”
Page 3
“The City has a significant number of vulnerabilities that pose risks to data interception, corruption, deletion, or other unauthorized consequences.”
“Of the 1,705 vulnerabilities identified, 240 were rated with a severity of 10.0 out of 10.0, and could result in a complete compromise of network and data confidentiality, integrity, and availability.”
Page 4
“The City is operating an IBM XXX XXX XXXXXXX XXXXX as its financial server. The XXXXX is an older computer system, first released in 19XX, and has its own programming language…as a result, customized security and auditing techniques must be used to assess the controls over the XXXXX.
The actual computer program was named in the IT document, but the Reporter is redacting it in the interest of protecting the city.
While the above comments of the NYS Comptroller’s office within this confidential audit/letter are troubling, consider the following quote from the publicly released 26-page city audit as contained on page 14, 15 under the heading, Information Technology:
“They (City) have not implemented adequate controls and restrictions over user access to the financial system…As a result of these controls weaknesses, the City’s IT assets are at an increased risk of possible theft, or compromise by intentional or unintentional manipulation or corruption…Effective access controls prevent users from being involved in multiple aspects of financial transactions and from accessing unauthorized areas where they can intentionally or unintentionally change or destroy critical data. The proper segregation of payroll, human resources, and accounts payable duties within the IT environment in an essential control to ensure that no one employee performs key aspects of payment processing, such as adding new vendors or employees to the City’s computer system, entering disbursements or payroll information, and processing checks…City officials stated that the financial software did not create an audit log and therefore they had no means of detecting inappropriate transactions and identifying the users responsible.”
The above paints a picture of a city financial system totally at risk to corruption and or manipulation.
Worse yet, if the system were to be corrupted there would be no way to prove who did the corrupting or manipulating. If we were to view city government as a publicly held business with an annual $96 million operating budget it would be fair to say that the business has left its front door open and the keys to the vault on the desk.