A new audit from the New York State Comptroller’s office found that the state’s Office of Information Technology Services’ (ITS) has lost thousands of devices due to waste, inventory mismanagement, and lax security.
According to the audit, ITS’ lax inventory records have led to thousands of computers and other costly information technology (IT) equipment being unaccounted for. Additionally, the audit also found that the agency destroys new and barely used devices rather than donating or selling them.
“Information Technology Services needs to do a better job of keeping an accurate inventory of its equipment to avoid wasting taxpayer dollars and to protect any sensitive information stored on these devices,” State Comptroller Thomas P. DiNapoli said. “The findings in this audit are very concerning and the agency needs to overhaul its operations.”
As one of its responsibilities, ITS is responsible for keeping an accurate inventory of hardware and software for the 57 state entities it fully supports. It also operates 83 stockrooms statewide. To manage this inventory, ITS uses software called Information Technology Service Management (ITSM). The audit found that from March 2020 to March 2024, ITS spent nearly $62 million on workstations and associated equipment.
The audit found inventories were often inaccurate, records from ITSM and stockrooms didn’t match, devices like laptops were missing, and security was lax around the stockrooms where equipment holding potentially sensitive information was stored.
During the audit, ITS initiated a cleanup of its inventory data and reclassified as “absent” 11,000 devices that were unaccounted for but had an “In-Stock” or other designation. In total, auditors found 17,887 items, including thousands of laptop and desktop computers, listed in ITSM as “absent,” mostly because their location wasn’t known. Additionally, auditors searched for a sample of 102 devices with listed stockrooms, but stockroom employees couldn’t find 94 of them.
Auditors also identified 36 pallets of used equipment that could contain sensitive or confidential information – laptops, hard drives, monitors – in a shared storage area easily accessed by employees from other agencies, as well as three boxes of hard drives taken from state computers stored behind an ITS employee’s desk.
Auditors found 924 lightly used or new in-box desktop and laptop computers – with an estimated value over $500,000 – marked to be discarded. The Comptroller’s Office noted that in the past, new, unused, and lightly used equipment was sometimes donated or sold at state auctions. However, ITS now destroys discarded equipment, even in new or like-new condition.
The audit discovered that some state agencies were buying their own equipment, connecting it to ITS networks and keeping equipment that should have been returned to ITS. The Comptroller’s Office said this practice creates potential security risks.
Additionally, the Comptroller’s Office raised serious concerns that ITS inhibited the audit process. In a press release, the Comptroller’s Office noted that during the first seven months of the auditors’ work, ITS officials put “unwarranted restrictions” on their access to records and agency staff, hindering the audit process. Additionally, the Comptroller’s Office alleged that when information was eventually provided, it had been altered. Of particular concern to the Comptroller, the ITSM inventory of laptop and desktop computers had been changed. However, by the time the audit was concluded, hindrances were removed and information was made available by ITS.
Among several recommendations, the Comptroller called on ITS to improve its oversight and operations; conduct a comprehensive review and cleanup of the inventory data in its ITSM software; strengthen oversight and monitoring of its stockrooms; and review its practice of destroying new and lightly used IT equipment to determine if can be sold or donated.
In response to the audit’s findings, ITS began reviewing and correcting its inventory data. ITS also stated that it will continue to improve monitoring of inventory moving forward, including training stockroom and other staff to identify discrepancies in inventory data. Officials stated that ITS prioritizes data security when disposing of assets, but will consider resale or donation of devices where possible.
