August 2016 audit by the Office of State Comptroller finds significant deficiencies in planning the execution of the transformation, with little or no evidence that many basic planning steps were performed.
Purpose: To determine how effective the recommended Information Technology Transformation process was to meet mandated requirements. The audit covers the period January 22, 2015 to March 30, 2016.
Background The Office of Information Technology Services (ITS) was established in November 2012 as part of a New York State Information Technology (IT) Transformation to consolidate and merge State agencies’ operations and streamline services. ITS was created pursuant to a recommendation of the Governor’s Spending and Government Efficiency Commission (Commission). The Commission’s Final Report was issued in February 2013 and contained three main sections: Reorganizing Government, Reducing Costs and Improving Services, and Building a Culture of Performance and Accountability. The creation of ITS was part of the second section, Reducing Costs and Improving Services, which outlined a framework by which ITS was created and projected annual savings of approximately $290 million as a result of three major initiatives: Organizational Restructuring, IT Infrastructure Modernization (Data Center Modernization, Digital Network Consolidation, Email Consolidation and Integration, Enterprise Identification and Access Management), and Accelerating the Development of IT Projects with a High Return on Investment and a High Impact on Performance.
Since the Commission’s report was issued in 2013, we completed separate audits of the security and effectiveness of core systems at three major agencies, each organized within a different part of ITS. In each case, we reported on areas where ITS had not established adequate controls over its processes and procedures during the Transformation. For example, our audits questioned: the adequacy of access controls and change management at all three agencies; the implementation of Payment Card Industry standards at the Department of Motor Vehicles; data classification efforts at both the Department of Labor and Division of Criminal Justice Services; and the ease and efficiency of core programming languages at the Department of Labor and the Department of Motor Vehicles. As a result, in January 2015, we began this audit of the effectiveness of the overall Transformation effort.
Key Findings • There were significant deficiencies in planning the execution of the Transformation, with little or no evidence that many basic planning steps were performed. For example, a risk assessment was not conducted timely to help identify priorities and avoid unintended consequences, nor were there any benchmarks for customer service levels and costs established at the onset of the Transformation. As a result, ITS had little data to quantify or measure what benefits, if any, the Transformation has brought about thus far. Moreover, these deficiencies significantly limited ITS’ ability to maintain continuity and meet the goals established in the Commission report, especially in an era of recurring turnover among top-level ITS executives. •
ITS is still working toward completion of several of the goals outlined by the Commission. In fact, the Commission’s report labeled the four major technology initiatives as “well underway” at the 2015-S-2 Division of State Government Accountability 2 time. However, we found that ITS is currently in its fourth year, and only one of these initiatives (Email Consolidation and Integration) has shown significant progress and is ostensibly complete. The status of the other three (Data Center Modernization, Digital Network Consolidation, and Enterprise Identification and Access Management) can best be considered “underway.” As of the conclusion of our audit fieldwork, ITS was moving forward with efforts to consolidate technology services, reduce redundancy, and increase process and system standardization.
ITS often did not provide timely or independent access to certain data and staff, thus limiting the reliability of some of the data that auditors received and the interviews the auditors conducted. As such, there is considerable risk that material information pertaining to the IT Transformation was withheld. Further, throughout the audit, we were presented with contradictory information when trying to obtain documentation and answers to our inquiries.
- Formally assess the adequacy of the of the internal control environment at ITS and take the necessary steps to ensure the control environment is adequate, including cooperation with authorized State oversight inquiries.
- Complete an overall risk assessment of ITS and incorporate it into the new FY 2016-17 project plan.
- Work with State agencies to facilitate their sharing of successful and innovative practices to more efficiently and effectively manage ITS resources and assets.
Agency Response and Auditor’s Comments
- In their formal response to our draft report, ITS officials disagreed with several of our findings and conclusions. Further, officials asserted that current ITS practices are consistent with our audit recommendations. Based on ITS’ response, we anticipate that ITS will continue to work toward full implementation of our recommendations. Nonetheless, with respect to the conduct of the audit, ITS officials misunderstood their obligations regarding cooperation with statutorily authorized State oversight entities such as OSC. Also, our rejoinders to certain ITS statements are embedded within its response as State Comptroller’s Comments.
- Regarding audit recommendations, ITS officials indicated that a formal risk assessment is currently underway. Such assessment should be completed in a most timely manner. Further, we encourage ITS to establish formal timelines for the completion of major Transformation projects, since this has not been an ongoing practice for several of its projects we reviewed. As detailed in the report, the Transformation is now in its fourth year, and it is still unclear when certain major components of the initiative will be completed.