Objective

To determine whether the Office of Information Technology Services has adequate controls to ensure the accuracy and completeness of inventory records, accountability for inventory transactions, and safeguarding of inventory. The audit covered the period from March 2020 through August 2024.

About the Program

The Office of Information Technology Services (ITS) was created in 2012 and is the lead agency for State IT services and technology solutions, including the procurement, distribution, and maintenance of technical equipment for State employees. Additionally, ITS is responsible for maintaining an accurate inventory of all information assets, including all workstations (desktop and laptop computers), virtual desktops, printers, scanners, mobile devices, and additional specialized equipment, as well as any digital programs or systems needed to support various job functions. To manage the vast inventory, ITS utilizes the Information Technology Service Management (ITSM) software as its centralized system of record.

ITS supports 108 State entities and operates 83 stockroom locations statewide. Stockroom personnel are required to receive inventory shipments and scan the devices into ITSM. Next, in-stock devices are available to be assigned to users and distributed for either onboarding or refreshing an outdated device. As devices are assigned to users and distributed, ITS’ Asset Management team updates the record within ITSM to reflect the changes.

As of January 2023, stockroom managers are required to complete quarterly inventory audits to ensure devices are being tracked in ITSM effectively, as well as to ensure stockrooms always have adequate inventory on hand.

Key Findings

ITS does not have the necessary controls in place to accurately and completely account for all workstations and other hardware assets for which it is responsible. We found significant weaknesses related to ITSM accuracy, as well as missing devices, and a lack of security over equipment and the information stored on devices at ITS stockrooms. Further, this general lack of accurate inventory information has resulted in overspending and government waste. For example:

• ITSM data is neither accurate nor complete as it pertains to technology equipment. ITSM contains many errors, including missing devices, with 17,887 devices categorized as absent after they could not be located; duplicate data; and blank serial numbers in the system so that devices cannot be identified. Absent devices are ITS workstations, such as desktops and laptops, that are no longer in ITS’ possession but still exist in ITSM.
• Stockrooms throughout the State were not able to accurately reconcile items with ITSM records. We found devices listed in ITSM that were not present in the stockrooms and devices in stockrooms that were not listed in ITSM. We were unable to reconcile 58 of 606 (9.6%) sampled workstations from our 23 stockroom visits with the ITSM information. Further, we found 96 devices present in stockrooms but not listed in ITSM.
• We observed unsecured workstations and the unsecured storage of hard drives that potentially contain confidential data. For example, we saw 36 pallets of used equipment—including workstations, hard drives, monitors, and keyboards—kept in a shared storage area within the building, easily accessible to employees from other entities. We also saw three boxes of hard drives that had been removed from devices and stored behind an ITS employee’s desk—kept in a manner that makes them inappropriately accessible to other individuals with access to the floor.
• We found over 924 lightly used or new devices (e.g., desktop and laptop computers) that were set to be destroyed, with an estimated value between $530,000 and $660,000. New, unused, and lightly used equipment was, in the past, sometimes donated or sold at State auctions; however, due to the additional processes necessary to donate or sell workstation equipment, ITS currently elects to destroy all discarded equipment, even equipment in new or like-new condition.

Further, we identified areas where stronger oversight is needed over stockroom and agency operations and additional training is needed for ITS stockroom personnel. ITS has not provided stockroom personnel with the proper knowledge and skills to competently and effectively use ITSM. We found that ITS stockroom employees at several locations were unable to adequately navigate ITSM to provide reports to the audit team or search the ITSM database for devices by serial number. We also found that 13 of the 23 (57%) stockrooms we visited have not completed all quarterly physical inventory audits as required. Additionally, some State entities have been circumventing appropriate protocols by purchasing their own equipment, putting their own equipment on ITS networks, and keeping equipment that should have been returned to ITS, posing potential security risks to the network and compromising data integrity.

We also identified weaknesses in technical controls that need to be corrected to ensure the selected information systems, and their associated data, are not at risk.

For 7 months, during the beginning stages of our audit, ITS officials imposed scope limitations on the audit team. They placed unwarranted restrictions on access to records, officials, and other individuals needed to fully address our audit objective. When the necessary information was eventually provided, we found instances where the underlying information had been changed, specifically ITSM workstation inventory data. Despite these changes, we found the data to be unreliable, as discussed in the body of the report. After we issued a preliminary findings report on this issue, we saw substantial improvement regarding the availability of information with ITS, and for the remainder of the audit, there was an adequate exchange of information between ITS and OSC.

Key Recommendations

• Conduct a comprehensive review and cleanup of ITSM data to ensure accuracy and completeness, and implement ongoing quality reviews of ITSM data to maintain integrity.
• Improve oversight and monitoring of stockrooms.
• Maintain an accurate and complete inventory of workstations and other equipment available to ensure efficient use of resources and prevent waste of equipment and taxpayer money.
• Formally evaluate the current practice of destroying new and lightly used equipment, and determine if these devices could be resold or donated.
• Implement the recommendation detailed in our preliminary findings to strengthen technical controls over the selected systems reviewed.
• Continue to improve the timeliness of cooperation with authorized State oversight inquiries to ensure transparent and accountable agency operations.