Scribd Logo
Upload

Welcome to Scribd!

  • OPI Report

    Uploaded by

    Patrick Crozier
    1K views23 pages
    OPI Report

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    OPI Report

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    1K views23 pages

    OPI Report

    Uploaded by

    Patrick Crozier
    OPI Report

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 23
    Office of Public Integrity Monroe County, New York Cheryl Dinolfo David T. Moore County Executive Director September 6, 2018 David Moore Inspector General Office of Public Integrity 45 Exchange Blvd Rochester, NY 14604 Director Moore, Complat At the request of the Monroe County Legislature Majority Leader, the Office of Public integrity (OPI) conducted an investigation concerning the allegations of mishandling of customers private and personal information by members of the Monroe County Clerl’s Office assigned to Department of ‘Motor Vehicles {OMV) tasks. When apprised of the situation by local news media, County Cierk Bello and his staff took immediate steps to mitigate the potential breach. These steps included new policies on how written records ‘were secured and destroyed, new training for all staff assigned to DMV, and disciplinary interviews with staff, On 5/30/28 Clerk Bello released a statement to the press indicating that his office determined that the Irondequoit DMV transactions were “most likely returned to customers, ” while the information found in Henriatta was characterized as being "traced back to single employee who was not following established procedure” and a substitute custodian who "mistook bags of documents meant for the recycling bin for garbage bags.” He continued that "The Clerk's Office conducted investigatory hearings with the employees involved inthis matter.” His release also claimed he "..began an investigation with the NYS DMV to forensially determine the scope of whose forms could have Potentially been mishandled.” As part ofthis public report he "...aid out plans to work with the NYS DMV to ausit the records ofthat particular cashier to better define the limited pool of customers, whose forms may have been handled improperiy.” Initial Findings: ‘The Clerk’s public statements are not consistent with the findings of OPI's investigation into this, ‘matter. Specifically OPI finds that: ‘© Customers and clerks in Irondequoit indicate that the information found by B. Brean was given to DMV clerks and then discarded in the trash by that DMV clerk. Times Square Building + 45 Exchange Sueet, Suite 888 + Rochester, New York 14614 (585) 753-3100 «fax: (585) 325-6293 + www monroecounty.gov Office of Public Integrity Monroe County, New York Cheryl Dinolfo David T. Moore County Executive Director ‘The Henrietta documents were traced back to B or 9 DMV employees. (Mr. Bello had limited Information about how widespread the issue was because, in the few documents Mr. Brean shared with him, only one clerk was identified.) Many documents indicated editing by clerks (for instance, red pen writing on them.) Material recovered included Ink Stamps, Temporary inspection Stickers, Plate Stickers and an employee timesheet, which could not have come from the customer waiting area. The Monroe County Sheriff's Office vehicle transactions were handled by the branch manager. ‘The individual who retrieved the DMV information from Henrietta Indicated that he secured 4 big bags of trash from the dumpster. He characterized the bags as being full of "garbage, food, plates, coffee cups and liquids” mixed with the documents found. These Items were ot sorted for recycling. Ths is supported by the condition of same of the papers retrieved from him, and the presence of non-paper items (ink stamp, plastic stickers) in the materials he provided. The cleaner states that his substitute was not working during the stated times, He states he was nat contacted by anyone from the Clerk's Office regarding this matter. The refuse removal is handled by the city of Rochester by an intragovernmental agreement. {na June 13, 2018 report on WHEC, Clerk Bello stated: "..We were able to forensicaly go back through and look at what happened, what were those forms and really identify who they were." OPI noted that the Clerk's Office had na way of knowing how many people were exposed until given a count by this office. n fact, the Clek’s Office only knew of 5 potential victims and the 3 MCSO plate requests. 3 of the customers did transactions at the Irondequoit office, but somehow the Clerk identified only an employee at Henvietta as responsible for the breach, ‘While the Clerk's report criticizes OPI for indicating that any customers within past 90 days ‘may have had information compromised, itis clear that the amount of exposure of Confidential information at the local DMV offices is unknown and unquantifiable. On one day (5/3/18) the personal private information of 88 customers was exposed, and on anather day (5/22/18) three customers at another branch were exposed. There can be no accurate way of knowing: 1) how long customer information was mishandled, or 2) how many documents including Private Personal information were thrown away prior to 5/22/18. (OP! finds that the attempts to discipline employees alleged to be responsible were hasty, a5, while anly one employee was identified by the extremely limited sample received from the ‘media, OPI has determined there were other staff involved. The employees we spoke to indicated they were not trained in proper disposal of customer's private and personal information, outside of being told not to intentionally release such information, ‘Times Square Building - 45 Exchange Street, Suite 888 * Rochester, New York 14614 (585) 753-3100 + fax: (585) 325-6293 + wunw.monroecounty.gov Office of Public Integrity Monroe County, New York Cheryl Dinolfo David T. Moore County Executive Director On 5/25/2018, OPI was requested by the Monroe County Legislature Majority Leader to Investigate a breach of confidential personal information involing documents originating from DMV offices. The concern came to light when NEWS 10 reporter Berkley Brean showed documents with personal information, on air, to County Clerk Adam Bello. Brean also interviewed and aired two men, Davi Motishaw and Kevin Travers. Mottshaw claimed to have found documents in the dumpster with personal information. Travers was shown and verified one of his DMV documents by Brean. Brean also showed redacted copies of documents he collected himself from the Irondequoit OMY dumpster. (On 5/25/18 OP! located addresses and phone information on the original complainant from the 'News10 article, David Mottshaw, and the other customer identified on air, Kevin Travers. Reporting Investigator (Rl) found addresses for both and did home visits on 5/29/18 in an attempt to interview them. R's spoke to Mottshaw via telephone and he agreed to meet investigators on 05/30/18, ‘On 05/30/18 Ri's met with Mr. Mottshaw at Tim Hortons on University Ave. Mr. Mottshaw stated that he had gone to DMV Henrietta office on 5/3/18 and had argued with the cashier and her supervisor regarding providing his social security number (SSN). He was claiming that it was illegal for DMV to write down his full SSN on his paperwork, and he felt they would lose or subject his information to discovery by others. He claimed that by speaking his social security number he had ‘met the state's requirement to provide his SSN. He was asked to leave the DMV office. The supervisor then asked him to leave, or she would call the police. He stated he returned that night, and retrieved “4 big bags of garbage” from an unsecured dumpster behind the building at suburban plaza. He described the bags as containing papers, junk and live garbage. From those four bags he had with him a Wegmans bag ¥ full of DMV documents, These included forms, envelopes, deposit slips, employee information, deposit stamp, temporary Inspection booklets, 3 registration requests from MCSO, and many voter registration cards. Mr Mottshaw subsequently contacted WHEC news. Berkely Brean was the assigned reporter. OPI investigators informed Mr. Mottshaw he really had no right to possess the documents in his possession, and - while he did not acquire them illegally - he could be in some legal jeopardy if he retained custody of them. He agreed to give the documents to OPI investigators. He stated that he hhad already turned over the Registration requests from MCSO by turning them over to a deputy at hhis home. OPI investigator Peglow verified this with MCSO, and obtained a copy of the information Mr. Mottshaw provided them. He stated that he had no more documents in his possession. ‘Times Squate Building + 45 Exchange Street, Suite 888 « Rochester, New York 14614 (585) 753-3100 « fax: (585) 325-6293 + www.monroecounty.gov Office of Public Integrity Monroe County, New York Cheryl Dinolfo David T. Moore County Executive Director OP! Investigators catalogued and sorted all information retrieved. OPI investigators interviewed Kevin Travers on same date. He states he did his transaction at the Henrietta branch, Travers was asked if he was given the form back and threw it away or the clerk kept it. He was certain the clerk kept his form Director Moore and the County Law Department spoke to Mr. Grean and requested he turn over any information he had obtained from the Irondequoit DMV office. WHEC eventually, days later, agreed to give copies to OPI, and these documents were retrieved and catalogued. There were only three copies turned over by WHEC. After the retrieved information was catalogued OPI used the NYS Penal law § 190.77 definition when determining what would be classified as personal information, This was to include: Name Telephone number Date of birth License number Social security number Place of employment Financial services account number ature ‘Maiden name Per General Business Law § 899-2a, businesses are required to notify a consumer of a breach when Private information is breached. Private information means any personal information defined above combined with any one or more of the following elements: Social Security Number Driver's License Number or Non-Driver #0 card number Times Square Building - 45 Exchange Street, Suite 888 + Rochester, New York 14614 (585) 753-3100 + fax: (585) 325-6293 + wnnw.monroecounty.gov Office of Public Integrity Monroe County, New York Cheryl Dinolfo David T. Moore County Executive Director ‘Account Number, Debit or Credit Card number in combination with any security code, access Code of password that would permit access to a financial account. Private Information does not include publicly available information whic to the general public fram federal, state or local government records, lawfully made available Under these definitions we identified 88 Individuals whose private information was exposed to disclosure. The information provided by Mr. Mottshaw was traced back to be the work product of 8 0r 9 different DMV clerks in Henrietta and 1 in Greece. (We were unable to identify one transaction that could have been done by 2 of 2 different clerks. In addition there were some documents that had no corresponding transaction at all, and some where a cashier could not be identified.) We further identified 3 DMV clerks who were involved with the information Mr. Brean found in the Irondequoit dumpster. As one of the items found was a deposit slip, OPI tried to determine whether this filled out deposit slip matched the deposit done by the assigned cashier. It did not. We inquired into the deposit process with the help of the Deputy County Clerk, the DMV auditor assigned to Henrietta, and the Supervising Clerk from Henrietta. The deposit done on 4/30/18 was $20 more in cash than the Prepared deposit sip found in the discarded information, and $64.50 short in check deposit. The supervisor stated that the deposit is done at the end of the shift. When asked, she stated that while the deposit slip is initialed by the cashier, the amounts are filled in by a senior cashier or supervisor. ‘This total is then tallied against the computer transactions by the auditar to balance the drawer. She could not explain why a drawer amount would increase by $20. When asked about how It would Gecrease by a check for $64.50, she responded "I wonder if that was the day the cashier shredded his checks?" The cashier assigned to the drawer had shredded the 2 checks he recelved that day by mistake, The cashier later reached one customer, who replaced the shredded check with one for the same amount, This would explain why the drawer was short fora check. The final deposit slip was written by a different hand than the first. The most likely explanation for the cash discrepancy is a miscount by whoever first counted the drawer and wrote the amount on the deposit s On several occasions our office met with Deputy County Clerk Jeff McCann. He informed OPI of the actions taken by Clerk’s office. Mr. McCann promptly gave OPI any information we requested regarding policies, procedures, handbooks, training, and audits. As part of this process, we requested any communications from NYS OMV regarding their “forensic” investigation into the individual clerks responsible, or identity of customer's information exposed. There was none. There was a DMV audit done concurrent to our investigation, and Mr. McCann shared the results with us, but management ‘Times Square Building + 45 Exchange Street, Suite 888 + Rochester, New York 14614 (585) 753-3100 «fax: (585) 325-6293 « www. monroecounty.gov Office of Public Integrity Monroe County, New York Cheryl Dinolfo David T. Moore County Executive Director had not yet finished their responses to the Audit. OPI found that few of the Audits concerns dealt with the subject at hand, the unintentional release of confidential Information (OPI notes that Clerk Bello and his management staff took immediate and substantive corrective action regarding the handling of protected and personal information at all County branches of OMY. All staff are currently instructed that any forms will be disposed of by shredding or placed in secured shredding bins. Two bins per office, and a third for customers were provided, After consulting with the County Law Department, the Clerk's Office sent a letter to all BB customers potentially exposed offering a one year credit monitoring subscription, The Clerk's office has naw properly instructed all employees of the proper disposal of personal and brivate information. They have also updated their emplayee files to Include an acknowledgment from each employee. ‘The Clerk's office also instituted a broader safety and security review for their DMV offices, offsite mobile offices, and equipment. The Monroe County Sheriff's Office Crime Prevention officers did a security and safety review. Clerk Bello reported that he had contacted MCSO for security reviews after this information breach became known, intimating MCSO would help with this issue. Sg. Zambuto stated that he was directed to contact County Clerk administrators in March of 2018 to discuss active shooter training, The conversation morphed into security reviews of the DIMV sites. One location was examined by Deputies on or about May 15, 2028, Set. Zambuto said he has had no further contact with DMY since. OPI asked if any of the conversations Involved information security or internat fraud protection and he said no. RECOMMENDATIONS: ‘© OPI recommends that the new document handling processes instituted by Clerk Bello be codified and continued. Additionally personal information safety posters should be prominently displayed in the customer waiting area to encourage customers to use the secure recycling for their own safety. This policy should be routinely reviewed with ‘employees by County DMV administration. © OPl recommends that the Clerk's Office begin a course of action to address and comply with the suggestions contained in the NYSDMV Audit 2018786, The Monroe County Clerk's Office hhas agreed to a September 28, 2018 completion date. The MVR Cashier policy indicates that the cashier should be present when their deposit is. counted. The procedure as explained to this office is that the cashier provides an initialed Times Square Building + 45 Exchange Street, Suite 888 + Rochester, New York 14614 (585) 753-3100 «fax: (585) 325-6293 + www.monroecounty gov Office of Public Integrity Monroe County, New York Cheryl Dinolfo David T. Moore County Executive Director blank deposit slip and the cash is then counted by a supervisor. We recommend that the cashier be present at the counting, and intial the deposit slip when satisfied the count is correct © A formal training program for new employees implemented from a written curriculum should be created and implemented at the County DMV. This should involve, but nat be limited to: the uniform instruction on County OMY policies, customer care expectations, and County polices in relation to information and money handling. An “observation period” would be recommended where new employees execute customer transactions under the supervision of 2 dedicated trainer whose responsibility during this time is to only answer, guide, and oversee the trainee(s) + Aformal taining program for new supervisors from a written curriculum should be created at the DMV. This should involve, but not be limited to: the uniform notification of DMV policies, supervisor responsibilities in audits, money handling, information handling, records retention and destruction, safety of employees, physical and security upkeep of the sites, and being appraised of the new employee t Investigator ‘Times Square Building + 45 Exchenge Street, Suite 888 + Rochester, New York 14614 (585) 753-3100 + fax: (585) 325-6293 + www. monroecounty.gov NEW YORK ST Department of Motor Vehicles AUDIT SERVICES AUDIT OBJECTIVE... ContaoLs. MANAGEMENT COMMENTS (Darr AUDIT RePoRT.. CONTRIBUTORS To THE REPORT. EXHIBIT A: RESPONSE TO AUDIT..10 Department of Motor Vehicles Audit Services Six Empire State Plaza Room 412 Albany, NY 12228 Phoni Emai \emv.nv.cov Audit Services Intranet: oe 518-474-0881 ivindex.cim Monroe County Special Audit Henrietta (RCH) Irondequoit (IRT) Greece (GRC) Metro Mobile (MCM) Westside Mobile (MC2) Eastside Mobile (MC3) Draft Audit Report: 201886 and 201887 Final Report Date: 7/30/2018 Monroe County Special Audit ‘Audit Reports 2018Y86 and 2018787 ———[$ ola aC AUDIT OBJECTIVE ‘The objectives ofthis audit were to determine whether the Monroe County DMV offices adhere to Department policies and Procedures as they relate to physical and information security, and system access controls. BACKGROUND The special audits of Monroe County DMV offices were started on 6/4/2018 and 6/5/2018. The Honorable Adam Bello is the Monroe County Cierk, Mr. Jeffery McCann is the Deputy County Clerk, Mr. Thomas Morrisey is the Assistant Deputy County Cletk, Ms. Beth Jodoin is the Henrietta Branch Manager, Ms. Heather Morgan is the Irondequoit Branch Manager, and Ms. Janice Chappell is the Greece Branch Manager. They ere charged with ensuring effective office operation and compliance with applicable regulations and departmental procedures. The three mobile offices each operate out of ‘a main branch office as follows: Metro Mobile: Henrietta Westside Mobile: Greece Eastside Mobile: Irondequoit All six Monroe County offices process and collect revenues for various license and registration transactions, as well as various sales and automobile use taxes. This special audit was the result of recent events reported in the local news. The County has since acted to ensure all employees are aware of Department policies and procedures relating to Personal, Private, and Sensitive Information (PPS!) AUDIT SCOPE To achieve our objectives we interviewed office personnel, observed office personnel as they performed their assigned duties, and noted the physical surroundings of the office. We also reviewed system access controls. The audit period was 5/1/2018 through 6/5/2018 Our audit complies with the Intemational Standards for the Professional Practice of Internal Auditing. These standards require that we plan and perform our audits to obtain sufficient, appropriate evidence to provide a feasonable basis for our findings and conclusions. We believe our audit provides a reasonable basis for our findings and conclusions AUDIT RESULTS Our audit discloses many improvements are needed in the following areas, with specific examples of the areas of concern and recommendations presented in this report = Security * System Access Controls Page 2 of 16 Monroe County Special Audit Audit Reports 2018786 and 2018Y87 [See Security 1. Access to the plate room is available to all cashiers at the Henrietta office. Limiting access to the security room ensures protection of security items, Allowing access by multiple personnel increases the risk of security items being lost or stolen. 2. The safe at the Greece office is left unlocked during the day, and does not have an alarm, Unrestricted access to the safe compromises accountability of the items. 3. The safe combinations at the Henrietta, Greece, and Irondequoit offices are nat changed annually ‘The sate is vulnerable to unauthorized eniry, = ‘Some cash drawers at the Henrietta and Greece offices have broken locks and are not lockable. b) Cashiers do not consistently lock up security items when leaving their station unattended at the Irondequoit office. ©) The cash drawers at the Metro Mobile office are not lockable. d) The cashiers leave money unsecured at the Westside Mobile and Eastside Mobile offices. Unsecured money and inventory items are at risk of manipulation and theft 5. a) Customer's applications, plates, documents, and writen test materials are stored in open. storage bins and/or in public view and reach at the Metro Mobile, Westside Mobile, and the Eastside Mobile offices b) Surrendered license plates at the Henrietta office are not secured after business hours. ©) Customer's applications and documents are within public reach at cashier workstations at the Irondequoit office. 2) Mall containing personal, private and sensitive information, including customer checks, is left unsecured during business hours at the Metro Mobile and at the Easiside Mobile offices. ©) All DMV offices in Monroe County have surrendered plates destroyed by a private ‘company without a DMV witness, Failure to secure these items increases the risk of theft or misuse, which can lead to fraudulent transactions and identity theft 6. The specie fund is not reconciled at least twice a day at the Henrietta office. Failure to verify the specie fund increases the risk of manipulation without detection cc _ Page Sof 16 Monroe County Special Audit Audit Report 2018Y86 and 201887 te 10. "4 12, 13, ‘The Westside Mobile van, containing plates, documents, and 10-day inspection stickers, was left unlocked in the parking lot. ‘An unlocked mobile van puts security items at risk. Fallure to secure security items Increases the risk of theft or misuse, which can lead to fraudulent transactions, ‘The Westside Mobile van keys are available to all employees, and cashiers obtain thelr own inventory. ‘The lack of accountability makes it dificult o resolve discrepancies, There are no alarms installed in any of the vans in Monroe County; security items are stored in the vans during the day. In the event of a situation, management and law enforcement may not be alerted timely, making thetts difficult to recover. 2) There is no bartier to prevent unauthorized access from the public area to the cashiering area at the Westside Mobile location. In addition, an unlocked public access door opens directly behind the cashiering area, b)_ There is no door to prevent unauthorized access from the public area and written test area to the cashiering area at the Metro Mobile and Eastside Mobile offices. When cashier stations are not protected from unauthorized access, the risk of theft of security items and monies increases. The cashiers’ safety is also compromised, Cashier's personal items such as handbags, purses, and cell phones, are kept al the ‘workstations at the Westside Mobile location. ‘Security items, including customer's personal, private, and sensitive information, is at risk of being compromised. ) The Westside Mobile location does not have a proctor to continuously monitor tests, nor does the office have signs posted prohibiting the use of electronic devices in the testing area b) The Eastside Mobile office does not have an area separated from the public for taking tests. ©) The Metro Mobile and Eastside Mobile offices do not have signs posted prohibiting the Use of electronic devices in the testing area. ‘The integrity of the tests may be compromised. Personnel records al the Henrietta office are stored in an unlocked cabinet. Unauthorized individuals g identity theft and fraud. ing access to confidential information increases the risk of Page 4 of 16 Monroe County Special Audit Audit Report 2018Y86 and 2018Y87 _———q“~" $n Recommendations: 1. The plate room must be restricted to authorized employees only. A supervisor should be responsible for distributing inventory items. (Reference: Procedure 4002) 2, The safe must be locked and alarmed at all times except when removing of inserting money. (Reference: Procedure 4002) 3, The safe combination should be changed annually as a precautionary measure. Documentation supporting the safe combination change must be retained. (Reference: Procedure 4002) 4, Allcash drawers must be lockable. All cashiers must use locking cash drawers for money and change funds. Cashiers must always lock up money and security items when leaving their station for any length of time. (Reference Procedure 4002) 5. All security items (ie. cash, checks, customers information, applications, license plates, documents, stickers, written tests, and surrendered plates) must be relocated out of public view and reach, and secured at all times. Cashier workstations should be constructed so customers cannot reach over the top, or through the window, to take any DMV items (Reference: Procedure 4002) 6. Supervisors are responsible for retention of @ daily record of specie fund cash (MV-1009 ‘Specie Fund Verification). The specie fund should be counted at least twice a day, after the ‘morning deposit and at the end of the day. (Reference: Procedure 4002) 7. All security items, including those in mobile units, must be secured during and after business hours. (Reference: Procedure 4002) 8. Mobile vans must be restricted to authorized employees only. A supervisor should be responsible for distributing inventory items. (Reference: Procedure 4002) 8. A security system, including an intrusion alarm, should be instelled to safeguard monies, security documents and other assets. (Reference: Procedure 4002) 10. A lockable door, or other barrier, should be installed to prevent unauthorized access by the public. (Reference: Procedure 4002) 11. Personal items must be stored in designated employee areas, such as a locker room or break room, and kept separate from all DMV security items and paperwork. (Reference: Procedure 4002) 12, All offices must have a separate testing area and a proctor to continuously monitor applicants taking written or automated tests. Signs must be posted prohibiting the use of electronic devices in the testing area. (Reference: Procedure 4168) 13. Personnel records must be Kept locked and secured at all times, and should only be accessible by authorized employees. (Reference: Procedure 4002) _——— Page 5 of 16 Monros County Special Audit Audit Report 2018786 and 201887 ‘System Access Controls 14, Cashiers at the Irondequoit Office do not always logolf or lock their terminal screen before leaving their workstation, Client information could be compromised. All employees are responsible for any activity someone else performs under thelr user ID. 15. The Cashier Assignment Report (CAR) is not reviewed monthly at any Monroe County office to ensure users are current, a) The Henrietta CAR of 6/4/2018 revealed 13 of 54 (24%) authorized WISE users were designated as supervisors on WISE. One user with supervisor access regularly cashiers. ‘Seventeen WISE user accounts have not been active for more than six months. The CAR was updated during the audit to 27 authorized WISE users, 11 were designated as supervisors on WISE, and 21 accounts were current employees of this office, The following six users remain on the CAR in case they are needed at this office. 9/8/2016 9/4/2015 HKIBBY 412412015 JCHAPPELL 712212016 TMORRISEY 3/5/2017 YYODICE, 6/9/2016 b) The Irondequoit CAR of 6/4/2018 revealed 15 of 51 (29%) authorized WISE users were designaled as supervisors on WISE. Fourteen users with supervisor access regularly cashier. Nine WISE user accounts have not been active for more than six, and remain on the CAR in case they are needed at this office. Inactive User Account __Last Logon “ABRADLEY “412016, MGALLOWAY1 1/8/2016 MNAPIER 11/30/2015 MQUINTERO2 19/29/2017 MMASTROGIOVANNI 1218/2018 SVERSHAY 4111/2014 STHORN1 11/29/2016 TMUSSO 43/2014 TMCKEE2 712212017 Page 6 of 16 Monroe County Special Audit Audit Report 2018786 and 201887 ©) The Greece CAR of 6/5/2018 revealed 18 of 48 (38%) authorized WISE users were designated as supervisors on WISE. Nine usors with supervisor access regularly cashier. ¢ e) Eleven WISE user accounts have not been active for more than six months, and remain on the CAR in case they are needed at this offce. Inactive User Account BIODOIN CRIVERA, EROMANS EDANIELS4 HMORGANS JSAWYER LSERCE MDAVY1 MGALLOWAY1 TMORRISEY1 TMCKEE2 Last Logon Date 6/17/2017 8/11/2017 10/27/2017 8/3/2016 8/12/2017 10/27/2017 9123/2017 Never logged on 12/12/2017 Never logged on 7128/2017 The Metro Mobile CAR of 6/6/2018 revealed 13 of 14 (9374) authorized WISE users were designated as supervisors on WISE, Twelve users with supervisor access regularly cashier, Eleven WISE user accounts have not been active for more than six months, and remain on the CAR in case they are needed at this office, Inactive User Account___Last Logon Dat BJODOIN 8712016 CARAUJO 14/1972016 DWEIRICH2 8/18/2017 EDANIELS4 8/4/2016 LANTELU 972712017 MGALLOWAY1 10/11/2017 MJULIAN4 7rei2017 PBAUN 27/2017 SKYLE Never logged on TMUSSO Never fogged on THARTLEBEN 2128/2017 The Westside Mobile CAR of 6/5/2018 revealed 15 of 19 (79%) authorized WISE users were designated as supervisors on WISE. Nine users with supervisor access regularly cashier. ‘One WISE user account has not been active for more than six months, and remains on the CAR in case needed at this office, Account Last Logon Date 2412017 SS EE Page 7 of 16 Monroe County Special Audit Audit Report 2018786 and 201887 —._ amt f) The Eastside Mobile CAR of 6/5/2016 revealed 19 of 32 (69%) authorized WISE users were designated as supervisors on WISE. Eighteen users with supervisor access regularly cashier. Three employees (Barbero, MPhillips9, and MBrozic) no longer work in the county, yat have active WISE accounts. Six WISE user accounts have noi been active for more than six months, and remain on the CAR in case they are needed at this office Inacti Account Last Logon Date MBARBERO 6/20/2017 MPHILLIPSS * 12/8/2014 MBROZIC * 5/10/2018 MWEBER13 Never Signed On RMORENCY1 11/19/2017, SVERSHAY Never Signed On SKYLE 10/25/2017 THAMILTONG 14/182017 YoDICE Never Signed On * No longer employed Not removing inactive WISE accounts could allow unauthorized access to the system 16. WISE system controls are compromised at all Monroe Counly offices because employees who cashier also have the supervisor designation on thelr WISE user accounts. Employees who cashier and have supervisory rights in WISE creates opportunities to change inventory and manipulate processed funds without delection Recommendations: 14, Before leaving 2 workstation, cashiers must logoff or otherwise secure the PC/ terminal. Use the PC / terminal lock feature, if available. (Reference: Procedure 4442) 15. The Cashier Assignment Report must be printed and reviewed at the beginning of each month, to ensure WISE user accounts remain up-to-date. (Reference: Procedure 4441) As a precaution, user accounts should be deleted if the user has not been active on WISE for more than six months. 16. Office management must perform all required monitoring of all individuals who cashier on a regular basis and have the WISE supervisor designation. This monitoring includes but is not limited (to: batch reviews of processed work; RCVAs; reviews of all override reports; and, verifying inventory changes. These monitoring activilies should be completed at maximum, required levels, or greater, due to the increased vulnerabilities of one individual controlling all aspects of a process. (Reference: Procedure 4441) Management Comments A formal exit conference was not held, however, some of the issues were discussed with office personnel during the visits, _———$— Page 8 0f 16 Monroe County Special Audit ‘Audit Report 201 8Y86 and 2018Y87 ——— ee eee eee ‘The Henrietta branch manager has been trying to get their locks fixed for some time, and will request a locking cabinet for personnel records, No comments were made by the Irondequoit branch manager, and the Greece branch manager was nol present during the visit, Draft Audit Report On June 21, 2018, a draft audit report was forwarded for comments. A response from Mr. Jeffery McCann, Deputy County Clerk, was received on July 26, 2018 and is presented in Exhibit B. It indicates the recommendations have either been implemented or will be implemented by September 28, 2018, Contributors to the Report Bridget Britton Francine Smeltzer Paul Sorrentino Randy Gable Tom Earl Kelly J. Gardiner, CISA ——$ Page Sof 16 Monroe County Special Audit Audit Report 2018786 and 2018787 Exhibit : Response to Audit ‘Completed By (Nama, Title): Jeffery MeCann, Deputy County Clerk Date: July 26, 2018 rh; A. Security Recommendations 1. The plate room must be restricted to authorized employees only. A supervisor should be responsible for distributing inventory items. (Reference: Procedure 4002) ‘Supervisors have not been responsible for distributing inventory items at all branches for as long as our current branch managers can remember (approximately 20 years). We have brought our practice into compliance with NYSDMV policy. Staff have been instructed that it 's imperative to keep the plate room door closed even when working inside to prevent unauthorized access, 2, The safe must be locked and alarmed at all times except when removing or inserting money. (Reference: Procedure 4002) The safe in the Greece office was left open by a new floating supervisor on the day of the audit. We have reiterated the policy of keeping the safe locked at all times. Nona of the safes at our branches are alarmed. Work orders have been created to have our safes examined and equipment needs determined by county security staff within the Monroe County Department of Environmental Services. We are in the process of determining prices to have this done and will complete it in the near future. 3. The safe combination should be changed annually as @ precautionary measure Documentation supporting the safe combination change must be retained. (Reference Procedure 4002) ‘There was confusion on this policy. Branch managers were unaware that combinations need to be chenged annually. There was a previous intemal policy of having locks changed when there was a change in branch management. We will have the combinations changed annually. Combinations were changed In March 2017 based on management turnover and immediately following the auditors’ most recent visit in June 2018. 4. All cash drawers must be lockable. All cashiers must use locking cash drawers for money and change funds. Cashiers must always lock up money and security items when leaving their station for any length of time. (Reference Procedure 4002) We have documentary evidence that County staff has expressed concems about cash drawers with broken locks dating back to at least 2007. In conversations with staff, we have determined thet this has been a longstanding problem at all three Monroe County branches. Our landlord at the Henrietta office has fixed this problem. We have recently pul out a request for quotes to fix this at the Greece and Irondequoit offices and expect to have this corrected in the near future, ‘Additionally, we have purchased new cash boxes for the eastside and westside mobile offices. ‘The lack of security at these offices has been something that had been identified as a concem 'n previous audits. Former Assistant Deputy County Clerk Richard Tumer stated in response —— eee Page 10 of 16 Monroe County Special Audi ‘Audit Report 2018Y86 and 2018Y87 ————wu— —annsg«wO to previous aus that the County had installed barriers between customers and staff. We find ‘no evidence that this was ever done and current staff has no knowedge of these changes ever taking place. We have identified carts that will serve as a secure workstation, We anticipate having all three vans equipped with ramps and other security measures to accommodate these carts by September 28, 2018, 5. All security items (i. cash, checks, customer's information, applications, license plates, documents, stickers, written tests, and surrendered plates) must be relocated out of public view and reach and secured at all times. Cashier workstalions should be constructed so customers cannot reach over the top, or through the window, to take any DMV items (Reference: Procedure 4002) We have taken a number of steps to address the concems raised. First, we have purchased Secured cabinets for all three mobile offices to keep applications, plates, documents and vaitten test materials secured, At the Henrietta office, all plates will bo secured after business hours. Our staff dossn't remember a time when Monroe County DMV actually witnessed the ceatruction of the plates. According to the representative at the County's scrap vendor, DMV. slaff has witnessed the destruction of the plales twice during the fast 11 years ~both of these ‘occasions within the last 4 weeks. We now have a member of our staff accompany the plates to the scrap yard and witness the Gestruction of the plates. Our current contract for license plate disposal was last extended in 2010 and 2015. It appears that the terms of the contract were never met by the vendor (plates were never weighed before they left our office as required by the contract and the county has, been taking the vendor's word for the proper weight we should be compensated for until late July of 2018). We nave initiated discussion with Corcraft about the possibilty of them picking up our plates nd handling their disposal — similar to the arrangement they have with State DMV offices. We are also considering rebidding this contract in the near future. 6. Supervisors are responsible for retention of a dally record of specie fund cash (MV-1009 ‘Specie Fund Verification). The specie fund should be counted at least twice a day, after the. morning deposit and at the end of the day. (Reference: Procedure 4002) Branch managers were unaware of this policy. Ithas now been implemented. 7. Allsecurity items, including those in mobile units, must be secured during and after business hours. (Reference: Procedure 4002) The security of DMV vans has been identified in previous audits and has been left unaddressed by the previous County Clerk. We have mot with Monroe County Fleet ‘faintenance and have identified a number of steps to make the vans more secure. These steps include: ‘Alarming all vans ——— Page 11 of 16 Monroe County Special Audit Audit Report 2018Y86 and 201887 Oe ‘No longer shrink wrapping new vans to keep them discrete and unidentifiable Improving intemal security features in the van Having mobile secure cabinets to keep material more secure during transportation and dally operations 8. Mobile vans must be restricied to authorized employees only. A supervisor should be responsible for distributing inventory items. (Reference: Procedure 4002) New storage cabinets have been purchased that will allow cashiers to cary more stock — eliminating the need for them to obtain additional stock during business hours 9. A security system, including an intrusion alarm, should be installed to safeguard monies, security documents and other assets. (Reference: Procedure 4002) ‘We wil be installing alarms, GPS tracking and working to Improve security of the mobiles in general, 10. A lockable door, or other barrier, should be installed to prevent unauthorized access by the Public. (Reference: Procedure 4002) ‘Security at the mobile DMVs has been an issue that has been noted as a concern in previous audits. After reviewing the previous audit, it appears that the previous County Clerk’s ‘Administrations have responded to these Issues in ways that have been inaccurate and have stated changes were mav‘e that we can find no evidence of, DMV staff are not aware of, ana do not exist today. Prior to this audit, we asked the Monroe County Sheriffs Office to conduct a review of all of our offices and make recommendations on steps we can take to make them more secure. ‘We've also involved the County's Department of Human Resources and the CSEA Union in this process and expect to have recommendations to improve all locations in the next month, 14, Personal items must be stored in designated employee areas, such as a locker room or break room, and kept separate from all DMV security items and paperwork, (Reference: Procedure 4002) ‘We will provide secure bins to store the staff's personal items that need to be secured, 12, Alloffices must have a separate testing area and a proctor to continuously monitor applicants. taking written or automated tests. Signs must be posted prohibiting the use of electronic devices in the testing area. (Reference: Procedure 4165) We have had signs made that state the use of electronic devices in the testing area is prohibited and we have designated locations at each mobile location that are easily proctored and monitored by our staf. 13, Personnel records must be kept locked and secured at all imes and should only be accessible by authorized employees. (Reference: Procedure 4002) Write these records were kept in a locked office, we have purchased lockad file cabinets for ail three branches ———— Page 120116 Monroe County Special Audit Audit Report 2018786 and 2018¥87 ee Steps to Implement Recommendations: ‘The following steps have beon taken: Effective July 1, 2018 Supervisors have been instructed that authorized employees are the only ‘ones eligible to enter the plate room and they are responsible for distributing inventory. Effective July 1, 2018 It has been reiterated to Supervisors that safes are to be locked at all times. Effective July 1, 2018 All Supervisors are aware that the combinations on all safes will be changed. The Assistant Deputy Clerk ~ Auto Licensing Bureau will be responsible for this and the combinations will be changed annually on of before June 1. The cash drawer locks in the Henrietta Office have been repaired by our landlord effective 7/14/2018. Effective July 1, 2018 supervisors have been counting the specie fund twice a day Effective July 1, 2018 oniy authorized staff is alowed to enter the van. Estimated Implementation Date: We have placed a work order with Monroe County DES to have alarms placed on our safes. We estimate this will be completed by August 31, 2018. We are working with Manros County Purchasing to find a vendor to repair the locks on the cash drawers at the Greece and Irondequoit Office. We issued a request for quotes that did not generate @ sufficient number of responses and County purchasing is working to find additional potential bidders. We estimate this work will be completed by August 31, 2018, We have ordered new, heavy duty secured cabinets that will serve as a cash drawer, and work station for our mobile DMV offices. We are working with Monroe County Fleet to equip our vans with ramps to accommodate these cabinets and are having security features added to the vans that include; alarms, GPS monitoring, enhanced bulkheads, protective window coverings and protective lock covers for the outside of the van. We estimate that all of our vans will be equipped with these features by September 28, 2018. We are conducting a security review of our DMV branches with the assistance of the Monroe County Sheriff's Office. We feel the new mobile cabinets will enhance security at the mobiles and we will work with the Sherif, County Human Resources and the Union to address eny security Issues. We estimate this project to be completed by September 28, 2018. Our new cabinats for the mobiles will eliminate the need for mobile staff to restock their supply during the day. These cabinets have been ordered and we anticipate they will be ready and walling for staff by the time newly upgraded vans with ramps are ready, approximately September 28, 2018. We are reviewing our mobile operation in the Town of Chili and are working with the Town to reconfigure our set up so its not adjacent to the non-locking door. We estimate this project io be complete by August 10, 2018, We are making arrangements to provide staff with secure bins for the storage of all personalitems —_———— Page 13 of 16 Monroe County Special Audit Audit Report 2018Y86 and 201887 80 it Is separate from DMV security items and paper work. We estimate this project to be completed by August 10, 2018. ‘We have naw signage stating that the use of electronic devices in the testing area is prohibited. We expect this task to ba completed by July 27, 2018. We have ordered 3 new locked file cabinets for the personnel files at each branch. We expect this project to be complete by August 16, 2018 Individual Responsible for Implementation (Name, Tit Tom Morisey, Assistant Deputy Clerk B. System Access Controls Recommendations 14, Before leaving a workstation, cashiers mus! logoff or otherwise secure the PC / terminal. Use the PC / terminal lock feature, if available. (Reference: Procedure 4442) Sis standard practice that cashiers logoff computers. This will be reiterated through training and has bean restated through a memo. 16. The Cashier Assignment Report must be printed and reviewed at the beginning of each month to ensure WISE user accounts remain up-to-date. (Reference: Procedure 4441) As a precaution, user accounts should be deleted ifthe user has not been active on WISE for more. than six months. Not alll of our branch managers were aware that a CAR review is required monthly. We have made them aware of this requirement and have implemented it. We have deleted all users. who have not signed on for six months. 16. Office management must perform all required monitoring of all individuals who cashier on a regular basis and have the WISE supervisor designation. This monitoring includes bul is not limited to: batch reviews of processed work; RCVAs; reviews of all override reports; and, verifying inventory changes. These monitoring activities should be completed al maximum required levels, or greater, due to the increased vulnerabilities of one individual controling all aspects of a process. (Reference: Procedure 4441) We believe our office to be in full compliance with these monitoring requirements except for the RCVAs. Going forward, RCVAs will be conducted by a member of our audit staff at tho Henrietta DMV. Steps to Implement Recommendations: ~_Allcashlers have been issued a memo reminding them to log off of workstations whten they are not in use and this will be highlighted in the new taining program we are developing ~ The CAR review is now taking place monthly and unneded users being removed = RCVAs will immediately start being conducted in our audit office. Estimated Implementation Date: Allitems in Section B have already been addressed. —<—$<$—$ Page 14 of 16 ‘Monroe County Special Audit Audit Report 201886 and 201887 —__—_—— eet and 201887 Individual Responsible for Implementation (Name, Title): Tom Morrisey, Assistant Deputy Clerk Additional Comments Concerning the Audit Report Upon learning customer forms containing personal and confidential Information were improperly disposed of at two Monroe County OMV's, County Clerk Bello took a number of steps to ensure ‘Monroe County's DMV's are in compliance with State regulations, ‘There was @ general lack of knowledge regarding many NYSDMV procedures and there ‘ppears to be an assumption on the part of the State that information is belng disseminated to County offices. The reason the Monroe Counly Clerk's Office requested this aud, the improper

    You might also like