Main Banner

NEWS from the Office of the New York State Comptroller
Contact: Press Office 518-474-4015

        

Thousands of State Computers and Other IT Devices Unaccounted for or Stored With Lax Security

State Comptroller’s Audit Finds Waste and Mismanagement in State’s IT Inventory

February 14, 2025

The state’s Office of Information Technology Services’ (ITS) lax inventory records have led to thousands of computers and other costly information technology (IT) equipment being unaccounted for, and the agency destroys new and barely used devices rather than donating or selling them, according to an audit released today by State Comptroller Thomas P. DiNapoli.

“Information Technology Services needs to do a better job of keeping an accurate inventory of its equipment to avoid wasting taxpayer dollars and to protect any sensitive information stored on these devices,” DiNapoli said. “The findings in this audit are very concerning and the agency needs to overhaul its operations.”

ITS was created in 2012 to centralize IT services for state executive agencies. In addition to overseeing the state’s IT services and purchasing and maintaining equipment for state employees, ITS is responsible for keeping an accurate inventory of hardware and software for the 57 state entities it fully supports. It also operates 83 stockrooms statewide. To manage this inventory it uses software called Information Technology Service Management (ITSM). From March 2020 to March 2024, ITS spent nearly $62 million on workstations and associated equipment.

DiNapoli’s audit found inventories were often inaccurate, records from ITSM and stockrooms didn’t match, devices like laptops were missing, and security was lax around the stockrooms where equipment holding potentially sensitive information was stored.

  • ITS initiated a cleanup of its inventory data during the audit and reclassified as “absent” 11,000 devices that were unaccounted for but had an “In-Stock” or other designation. In total, auditors found 17,887 items, including thousands of laptop and desktop computers, listed in ITSM as “absent,” mostly because their location wasn’t known (82%). Auditors searched for a sample of 102 devices with listed stockrooms, but stockroom employees couldn’t find 94 of them.
  • Auditors identified 36 pallets of used equipment that could contain sensitive or confidential information – laptops, hard drives, monitors – in a shared storage area, easily accessed by employees from other agencies, as well as three boxes of hard drives taken from state computers stored behind an ITS employee’s desk.
  • Auditors found 924 lightly used or new in-box desktop and laptop computers, estimated value over $500,000, marked to be discarded. Previously, new, unused, and lightly used equipment was sometimes donated or sold at state auctions, but ITS now destroys discarded equipment, even in new or like-new condition.
  • Auditors found that employees at ITS’ central distribution center, where purchased devices are first received and sent out to stockrooms around the state, said stockrooms often did not scan the devices as they were supposed to on arrival. Some 2,500 devices were listed as “In-transit” because stockrooms never confirmed their receipt.
  • Auditors found that stockrooms around the state could not match their records with ITSM data, with some devices listed in the software but not in stockrooms and vice versa. A check of 606 laptop and desktop computers found 58 (9.6%) couldn’t be reconciled between stockrooms and ITSM records.

Auditors also found that stockroom employees were not properly trained. At several locations, employees didn’t know how to properly use the ITSM software to locate items by serial number or provide auditors with inventory reports. Over half (13) of the 23 stockrooms that DiNapoli’s auditors visited did not complete all required quarterly physical inventories.

The audit found some state agencies were buying their own equipment, connecting it to ITS networks and keeping equipment that should have been returned to ITS, creating potential security risks.

During the first seven months of the auditors’ work, ITS officials put unwarranted restrictions on their access to records and agency staff, hindering the audit process. When information was eventually provided, it had been altered. Of particular concern, the ITSM inventory of laptop and desktop computers had been changed. The data remained unreliable, despite the changes. By the time the audit was concluded, hindrances were removed and information was made available by ITS.

Pallets of laptops and other IT devices in an ITS storage facility, many never opened or lightly used, scheduled for destruction.
Pallets of laptops and other IT devices in an ITS storage facility, many never opened or lightly used, scheduled for destruction.

Recommendations 

Among its several recommendations, the audit called on ITS to improve its oversight and operations; conduct a comprehensive review and cleanup of the inventory data in its ITSM software; strengthen oversight and monitoring of its stockrooms; and review its practice of destroying new and lightly used IT equipment to determine if can be sold or donated.

Response

ITS began reviewing and correcting its inventory data after the audit began. It stated that it will continue to improve monitoring of inventory moving forward, including training stockroom and other staff to identify discrepancies in inventory data. Officials stated that ITS prioritizes data security when disposing of assets, but will consider resale or donation of devices where possible. The agency’s full response is available in the audit.

Audit 
Office of Information Technology Services: Inventory Controls