1250 Broadway, 27th Floor New York, NY 10001


Here's a press release we just received from New York City Comptroller Bill Thompson :



New York City Comptroller William C. Thompson, Jr. today said control weaknesses in the Department of Housing Preservation and Development's Emergency Repair Program database could hamper the City's ability to ensure that vendors are being paid and property owners billed.

"My office has uncovered some data reliability problems with the current database that if not immediately addressed could compromise its integrity," Thompson said. "I urge the City to make the necessary adjustments to ensure that no information is slipping through the cracks."

Complaints regarding emergency conditions from tenants in privately-owned and City-owned housing are routed through 311 to the Housing Preservation and Development's (HPD's) Central Complaint Bureau. Information is logged and the property owner is notified of the situation. Steps are taken to ensure that the problem has been fixed. If not, a Notice of Violation is issued to the owner, who has 24 to 72 hours to make repairs.

If no repairs are made, HPD, through its Emergency Repair Program (ERP), hires a contractor from a pre-approved list, or assigns its own employees to make repairs. HPD notifies the Department of Finance of the cost of the repair and DOF is responsible for billing the owner for the cost of repairs. If the owner fails to pay, a lien is placed on the property after 60 days.

The audit - available at www.comptroller.nyc.gov - analyzed the reliability and integrity of ERP. Auditors found inaccurate and incomplete data, unused data fields in the ERP database, and weaknesses in the control of user accessibility to the database.

The audit found that the ERP database, specifically the vendor file, contained blanks, negative numbers and invalid numbers, in violation of a Comptroller's Directive that states "agencies must ensure that every transaction entering the information processing environment is authorized, recorded, and processed completely and accurately, protected from physical loss, theft, or unauthorized manipulation, and the data file integrity is preserved."

"The identified weaknesses can serve to diminish the integrity, reliability, and completeness of the information, which could lead to duplicate, inaccurate and fraudulent payments," Thompson said.

Additionally, a review of the authenticity of the vendors that HPD uses for ERP services found that 250 vendors on record lacked complete information.

Auditors also found that HPD does not have user account password policies and procedures for the ERP database. For instance, users are not required to periodically change their passwords, the system is not equipped with a feature that suspends a user's access to the system after a predetermined number of unsuccessful log-in attempts, and a number of users, many of whom are no longer employed by HPD, still had access to the database.

"HPD should develop tighter controls over access to the database," Thompson said.  "This information should be available only to those who actively use the ERP. By allowing former employees to access the database, a serious breach of security could conceivably take place."

Thompson made five recommendations to HPD of which they generally agreed with three, disagreed with one, and did not address one.

# # #