Village of Montgomery – Purchasing and Information Technology (2013M-210)

Issued Date
October 25, 2013

Purpose of Audit

The purpose of our audit was to review internal controls over the Village’s purchasing and information technology (IT) operations for the period June 1, 2011, through January 9, 2013.

Background

The Village of Montgomery is located in the Town of Montgomery in Orange County and has a population of about 3,800. The Village is governed by a five-member elected Board of Trustees comprising the Mayor and four Trustees. The Village’s total general fund appropriations for the 2011-13 fiscal year were approximately $5 million.

Key Findings

  • Village officials generally complied with General Municipal Law (GML) and sought competition for purchases and public works contracts subject to its competitive bidding requirements. However, the Board-adopted procurement policy did not specify the number of quotes or request for proposals (RFPs) to be obtained for purchases that were not subject to competitive bidding. As a result, Village personnel did not always seek competition for such purchases and paid approximately $84,000 to 13 vendors without obtaining the required quotes or RFPs.
  • The Board adopted a comprehensive policy covering various aspects of the Village’s IT system security, but it did not implement procedures ensuring that controls were instituted. For example, Village officials did not ensure that copies of back-up data were stored in a secure off-site location and the Board has not developed a disaster recovery plan.
  • The Village received various IT services from consultants without service level agreements.

Key Recommendations

  • Amend the procurement policy to include the specific number of quotes or RFPs Village personnel should obtain when purchasing items not subject to competitive bidding. Ensure that the Village’s procurement policy provisions relating to obtaining quotes or RFPs are complied with.
  • Ensure that all of the Village’s data is backed up to a secure off-site location, and that an officer or employee periodically restores/tests the backups. Implement a formal disaster recovery plan.
  • Enter into service level agreements with its IT consultants that clearly describe the scope of the work, service level objectives, and performance indicators.