State Comptroller: Cedarhurst should strengthen controls

The state comptroller’s office says there is room for improvement in the Village of Cedarhurst’s policies on purchasing services, claims processing and computer security.

A comptroller’s audit covering the period from June 1, 2008, to Aug. 31, 2009, addressed internal controls on procurement, payments and the village’s information technology system security. In that period, village spending totaled $4.98 million from the general fund and $1.05 million from the sewer fund.

According to the audit, goods and services valued at $150,944 were obtained without seeking competitive bids — as required by general municipal law — and 18 checks totaling $148,023 were cashed by vendors before the bills were approved for payment by the village board.

“We don’t think there is anything that cannot be corrected,” said Village Administrator Sal Evola, adding that the board is expected to re-adopt its policy on paying certain utilities or “normal recurring bills” in advance at the village meeting on Dec. 6. “It is customary for municipalities to pay utilities before any other bills other than payroll or benefits. We are complying with that.”

In auditing the village’s purchasing and claims processes, the comptroller made six recommendations: that Cedarhurst officials make sure that purchases and public-works contracts exceeding competitive-bidding thresholds are acquired through competitive bidding; that verbal or written quotes be obtained and documented in compliance with the village’s procurement policy; that the village require sufficient documentation when emergency purchases are made; that it revise the procurement policy to require that professional services be obtained based on competition, and document the reasons for the selection of bidders; that written contracts document services to be provided and the basis for payment; and that the village board audit all claims before payments are made.

In a letter of response to the comptroller’s office, Mayor Andrew J. Parise defended an item in the audit: the $49,307 paid to 3D Industrial though the village did not use competitive bidding before hiring the company.

Parise pointed out that 3D Industrial’s work was conducted on an emergency basis for electrical repairs to Cedarhurst’s sewage treatment plant. He said that a problem at the plant, which processes approximately 800,000 gallons of wastewater per day, could force it to shut down, creating health issues and property damage as the result of a discharge of wastewater into area waterways. To avert such a disaster in an emergency, work must be done right away.

“When faced with such catastrophic results,” Parise wrote, “the village immediately initiates emergency procedures to bring in appropriate contractors who are familiar with the plant and its mechanical and electrical systems to restore functioning capacity as promptly as possible.”

Parise also stated that the village “routinely obtains competitive bids for all services, including professional services that do not require competitive bidding.”

Absent comprehensive I.T. procedures, the audit stated, the village’s 20 computers and its system could be lost or misused. The report recommended adopting a disaster recovery plan as well as an “acceptable use” policy; devising procedures for remote access to ensure that an appropriate employee reviews audit logs to monitor the work performed by outside vendors or consultants; and the adoption of a policy for server protection to ensure that the business office server is kept in a locked room to which only authorized personnel have access.

Parise responded to the auditors that the village “concurs” with these computer-security recommendations, and Evola said that at Monday’s meeting, the board is expected to devise a policy to increase security for its server, and will maintain it in a locked cabinet and keep a log of when computer consultants access the system.

“These types of issues can be found in small or large municipalities,” said Nicole Hanks, a spokeswoman for the comptroller’s office. She noted that within 90 days of the report’s Nov. 26 issue date, the village board should forward a corrective action plan that addresses the recommendations.