You are on page 1of 62

OFFICE

OF THE

NEW YORK STATE COMPTROLLER D IVISION OF LOCAL GOVERNMENT & SCHOOL ACCOUNTABILITY

Town of Ramapo
Internal Controls Over Selected Financial Activities
Report of Examination
Period Covered: January 1, 2009 November 17, 2010 2011M-143

Thomas P. DiNapoli

Table of Contents
Page AUTHORITY LETTER 3

EXECUTIVE SUMMARY

INTRODUCTION Background Objective Scope and Methodology Comments of Town Ofcials and Corrective Action

6 6 6 7 7

BOARD OVERSIGHT Recommendations

8 9

BASEBALL STADIUM CAPITAL PROJECT Stadium Financing Feasibility Analysis Recommendations

10 10 13 14

FINANCIAL CONDITION Budget Estimates Operating Decits and Fund Balance Exceeding Appropriations Inter-Fund Advances Recommendations

15 15 16 18 19 20

INFORMATION TECHNOLOGY Breach Notication Disaster Recovery Auto Complete Setting User Accounts Inappropriate Computer Use Information Security Awareness Training Banking Policy Recommendations

21 21 22 22 23 24 24 25 25

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

1 1

APPENDIX APPENDIX APPENDIX APPENDIX APPENDIX

A B C D E

Response From Town Ofcials OSC Comments on the Town Ofcials Response Audit Methodology and Standards How to Obtain Additional Copies of the Report Local Regional Ofce Listing

26 50 58 60 61

OFFICE OF THE NEW YORK STATE COMPTROLLER

State of New York Ofce of the State Comptroller

Division of Local Government and School Accountability February 2012 Dear Town Ofcials: A top priority of the Ofce of the State Comptroller is to help local government ofcials manage government resources efciently and effectively and, by so doing, provide accountability for tax dollars spent to support government operations. The Comptroller oversees the scal affairs of local governments statewide, as well as compliance with relevant statutes and observance of good business practices. This scal oversight is accomplished, in part, through our audits, which identify opportunities for improving operations and Town of Ramapo governance. Audits also can identify strategies to reduce costs and to strengthen controls intended to safeguard local government assets. Following is a report of our audit of Town of Ramapo, entitled Internal Controls Over Selected Financial Activities. This audit was conducted pursuant to Article V, Section 1 of the State Constitution and the State Comptrollers authority as set forth in Article 3 of the General Municipal Law. This audits results and recommendations are resources for local government ofcials to use in effectively managing operations and in meeting the expectations of their constituents. If you have questions about this report, please feel free to contact the local regional ofce for your county, as listed at the end of this report. Respectfully submitted,

Ofce of the State Comptroller Division of Local Government and School Accountability

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

3 3

State of New York Ofce of the State Comptroller

EXECUTIVE SUMMARY

The Town of Ramapo (Town) is located in Rockland County and has 12 villages, including Airmont, Chestnut Ridge, Hillburn, Kaser, Montebello, New Hempstead, New Square, Pomona, Sloatsburg, Spring Valley, Suffern and Wesley Hills. The Town Board (Board) is the governing and legislative body of the Town. It determines policy and appropriates funds for various governmental functions and services. The Board has the rights to adopt and manage the budget, control and have custody of Town property, and oversee the Towns various Departments. The Town provides various services to its residents, including maintaining and improving Town roads, snow removal, public improvements, recreation and cultural activities, water, and general governmental support. Budgeted appropriations for the scal years 2009 and 2010 were $71.4 million and $74.9 million, respectively. Scope and Objective The objective of our audit was to assess the Towns internal controls over selected nancial activities for the period January 1, 2009, to November 17, 2010. We expanded the scope of our audit to include January 1, 2008, to May 18, 2011, to review the trends associated with the Towns nances and to include the Towns actions related to the baseball stadium construction project. Our audit addressed the following related questions: Did Town ofcials properly oversee and monitor the planning and construction of the baseball stadium? Are internal controls over the Towns nances appropriately designed to safeguard Town assets? Are internal controls over the Towns information technology (IT) system appropriately designed to protect electronic data?

Audit Results Town ofcials have inappropriately mingled the activities of the Town and the Ramapo Local Development Corporation (RLDC) in the construction of a minor league baseball stadium. These actions allowed Town ofcials to circumvent laws the Town is required to abide by for the approval and construction of such projects, and has resulted in the Town paying over $35.4 million in improvement costs and being liable for at least $25 million in bonds issued for debt on property that 4 OFFICE OF THE NEW YORK STATE COMPTROLLER

the Town no longer owns. In addition, there is little likelihood that the project will generate sufcient revenue to help the Town pay for this outstanding liability. The Town will pay approximately $27.5 million1 in principal and interest payments on these bonds over the next ve years. This is signicantly more than the approximately $7 million a feasibility consultant projected the baseball stadium would generate in net revenues available for debt service during the same time frame. The Town does not have a written agreement with the RLDC outlining how the RLDC will reimburse the Town for the principal and interest on these bonds. Supposedly, the RLDC is relying on revenues that will be generated from the sale of affordable housing units to reimburse the Town. However, the RLDC obtained loans of approximately $29.9 million that were also guaranteed by the Town to build these units. These loans must be repaid before any revenues generated from the sale of the units can be made available to reimburse the Town for payments related to the $25 million bonds. As a result, it is unlikely that the RLDC will be able to reimburse the Town for the full principal and interest payments made on the $25 million bonds. We found that the Board has not exercised effective oversight of the Town. Board members told us that they received no nancial reports, such as detailed project cost reports for Town projects (including the baseball stadium), budget versus actual reports, and generally did not receive or review contracts. Additionally, Board members told us that they did not know how much the baseball stadium would cost the taxpayers or how it would be paid for. We also found that, in 2010, the Town had depleted its fund balances in three major operating funds because of unrealistic revenue estimates and the Boards failure to monitor and adjust the budget when it became clear that the Town would not achieve anticipated results. During 2009 and 2010, the Town advanced approximately $3.3 million and $3.9 million, respectively, among funds with differing tax bases, but failed to pay back those funds by the close of the scal year as required by law. The advancing funds lost $17,243 in interest because they were not paid back with a comparable rate of interest. The Board did not establish adequate information technology policies, including a breach notication policy, online banking policy or policies for assigning or deactivating user accounts. Further, the Board has not adopted an entity-wide disaster recovery plan; therefore, in the event of a disaster, Town personnel have no guidelines or plan to follow to resume mission-critical functions. In addition, the auto-complete setting was enabled on the online banking computer. We also found multiple instances of non-work-related computer usage. As a result, the Towns computer system and electronic data may be susceptible to loss, unauthorized use, or improper disclosure. Comments of Town Ofcials The results of our audit and recommendations have been discussed with Town ofcials and their comments, which appear in Appendix A, have been considered in preparing this report. Town ofcials disagreed with our ndings. Appendix B includes our comments on issues that Town ofcials raised in their response letter.

This includes $25 million in principal + $2.5 million in interest.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

5 5

Introduction
Background The Town of Ramapo (Town) is located in Rockland County and has 12 villages, including Airmont, Chestnut Ridge, Hillburn, Kaser, Montebello, New Hempstead, New Square, Pomona, Sloatsburg, Spring Valley, Suffern and Wesley Hills. The Town provides various services to its residents, including maintaining and improving Town roads, snow removal, public improvements, recreation and cultural activities, water, and general governmental support. The Town Board (Board) is the governing and legislative body of the Town. It determines policy and appropriates funds for various governmental functions and services. The Board comprises the Town Supervisor (Supervisor) and four councilpersons. Councilpersons are elected at large in odd-numbered years for four-year terms; these terms are staggered so that two councilpersons are elected each biennial session. The Supervisor is the chief executive ofcer of the Town and is responsible, along with other administrative staff, for the day-today management of the Town under the direction of the Board. The Supervisor, who also is a voting member of the Board and Director of Finance, is responsible for oversight of the Towns ongoing capital projects and general Town nances. Budgeted appropriations for the scal years 2009 and 2010 were $71.4 million and $74.9 million, respectively. The Director of Automated Systems (Director) is responsible for the day-to-day operations of the Information Technology (IT) Department, which is overseen by the Supervisor and the Board. The Department comprises two IT personnel who report to the Director. The IT Department is responsible for the Towns 41 laptops, 179 desktop computers, and 26 servers. The Town contracts with various outside vendors for IT-related services. Objective The objective of our audit was to assess the internal controls over selected nancial activities including the construction of a baseball stadium, nancial condition and information technology. Our audit addressed the following related questions: Did Town ofcials properly oversee and monitor the planning and construction of the baseball stadium? Are internal controls over the Towns nances appropriately designed to safeguard Town assets?

OFFICE OF THE NEW YORK STATE COMPTROLLER

Scope and Methodology

Are internal controls over the Towns IT system appropriately designed to protect electronic data?

We examined the Towns internal controls over selected nancial activities, including the baseball stadium, nancial condition and IT for the period January 1, 2009, to November 17, 2010. We expanded the scope of our audit to include January 1, 2008, to May 18, 2011, to review the trends associated with the Towns nances and to include the Towns actions related to the baseball stadium. Our audit disclosed areas in need of improvement concerning some IT controls. Because of the sensitivity of this information, certain vulnerabilities relating to passwords are not discussed in this report but have been communicated condentially to Town ofcials so they could take corrective action. We conducted our audit in accordance with generally accepted government auditing standards (GAGAS). More information on such standards and the methodology used in performing this audit is included in Appendix C of this report.

Comments of Town Ofcials and Corrective Action

The results of our audit and recommendations have been discussed with Town ofcials and their comments, which appear in Appendix A, have been considered in preparing this report. Town ofcials disagreed with our ndings. Appendix B includes our comments on issues that Town ofcials raised in their response letter. The Board has the responsibility to initiate corrective action. A written corrective action plan (CAP) that addresses the ndings and recommendations in this report should be prepared and forwarded to our ofce within 90 days, pursuant to Section 35 of the General Municipal Law. For more information on preparing and ling your CAP, please refer to our brochure, Responding to an OSC Audit Report, which you received with the draft audit report. We encourage the Board to make this plan available for public review in the Clerks ofce.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

7 7

Board Oversight
The Board has a duciary responsibility for Town assets and nances, and an obligation to serve the community, protect taxpayers interests, and exercise good faith and due diligence. The Board, along with Town ofcials, is responsible for managing and overseeing the Towns overall scal affairs and safeguarding its resources. This responsibility includes establishing a sound internal control environment. An important component of any system of internal controls is the control environment or the tone at the top. The control environment is the foundation of a good internal control system, providing discipline and structure upon which the other components are based. It reects managements attitude about internal controls and includes the integrity, ethical values, and competence of the entitys personnel, and managements philosophy and operating style. When this foundation is not strong or the control environment is not positive, the overall system of internal controls will not be as effective as it should be. The Board and Town ofcials must act with the highest ethical standards and carry out their oversight responsibilities in conformance with applicable laws, rules and guidelines that they expect their employees to follow. The Board and Town ofcials must be leaders in diligently protecting Town resources that are entrusted to them. As the legislative body, the Board should establish and oversee much of the policy, nancial, and ethical framework within which the Town operates. Through its actions and policies, the Board should chart the course for the Towns activities. The Board is responsible for monitoring the results of operations. Local governments routinely participate in construction projects that span several years and cost millions of dollars. It is important that the Board monitor the status of these substantial projects. The most common disclosures are projectbased nancial statements providing selected details of each project, such as total cost-to-date compared to budget or authorization. The Board has not exercised effective oversight of the Town. The Board neither established policies nor oversaw the Towns nancial operations. Board members told us that they received no nancial reports, such as detailed project cost reports for Town projects (including the baseball stadium discussed in the next section), budget versus actual reports, and generally did not receive or review contracts. The Board made its decisions based upon representations from the Town Attorney and Supervisor. Additionally, although Board 8 OFFICE OF THE NEW YORK STATE COMPTROLLER

members should ensure they receive all necessary information, for the most part, they have not requested the information or ensured that they received requested information. In fact, Board members told us that they did not know how much the baseball stadium would cost the taxpayers or how it would be paid for. Without proper information, there is a risk that inappropriate decisions may be made which could result in further costs to taxpayers. Recommendations 1. The Board should establish and maintain a control environment that fosters a commitment to compliance with relevant laws and Town policies. The Board also should routinely monitor the implementation and effectiveness of the internal control system. 2. The Board should ensure that nancial decisions are based upon competent information. 3. The Board should require the Supervisor to provide project-based cost reports.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

9 9

Baseball Stadium Capital Project


Capital projects are usually long-term projects which require relatively large sums of money to acquire, develop, improve, or maintain. The Board is responsible for oversight and management of the Towns capital projects, including establishing internal controls to help ensure that capital projects are properly and adequately planned and managed. Effective controls help ensure that projects are properly planned, funding is authorized, and project costs are kept within their approved budget. Local Development Corporations (LDCs) are private, not-for-prot corporations often created by, or for the benet of, local governments for economic development or other public purposes. Although created by, or for the benet of a local government, an LDC is a separate private corporation, distinct from the local government, having its own set of powers under the governing statutes. In exercising these powers, LDCs generally are not subject to the same requirements and procedures as local governments with respect to borrowing, procurements and certain other matters that relate to implementing a capital project. These requirements and procedures applicable to local governments are intended for the protection of taxpayers. In September 2008, the Board formed the Ramapo Local Development Corporation (RLDC). According to the RLDCs Certicate of Incorporation, the RLDCs mission and objective is to "lessen the burdens of government by undertaking and promoting urban redevelopment initiatives in the Townthat will include real estate acquisition, development and management, real estate project nance, and other [permissible] community-based economic development activities The Supervisor, who is a voting member of the Board, serves as the President and a voting member of the RLDC. Stadium Financing In June 2009, the Board purchased approximately 61 acres of property located at Firemans Memorial Drive and Pomona Road for a cost of $8.4 million for general municipal purposes. Subsequent to the purchase, the Board decided to build a baseball stadium, as part of an urban renewal plan, which would serve as the home eld for a minor league baseball team with approximate seating capacity of 3,500 and parking for 900 vehicles. In February 2010, the Board entered into an agreement with the RLDC to assist the Town with the development of the baseball stadium.

10

OFFICE OF THE NEW YORK STATE COMPTROLLER

Board members indicated that they believed that the RLDC could build the stadium at a lesser cost because the RLDC does not have to comply with the Wicks Law. The Wicks Law generally requires multiple prime contracts for public works projects for the construction of buildings. When the Wicks Law applies, municipalities must award separate prime contracts for three major components of the work: electrical, plumbing, and HVAC (heating, ventilating and air conditioning). One or more contracts generally are awarded to general contractors for the remainder of the project scope. Furthermore, General Municipal Law (GML) requires that local governments competitively bid contracts for public work that involve expenditures in excess of $35,000. By using the RLDC to construct the stadium, the Board, in effect, circumvented the procurement laws that would have applied if the Town directly pursued the project. In May 2010, the Board, by resolution, agreed to guarantee $16.5 million in nancing to be obtained by the RLDC. Generally, with several exceptions, the States Constitution (article VIII, 1) prohibits a town from loaning its credit (e.g., guaranteeing loans) to or in aid of any public or private corporation or association. Town taxpayers led a petition for a special election on the resolution. The petition sought to directly protest the Boards resolution which authorized and agreed to provide a nancial guarantee of the nancing to be obtained by the RLDC for the development of the baseball stadium. In August 2010, the Boards resolution was defeated, with 71 percent of the votes cast against it. According to published reports, the Supervisor subsequently stated that the stadium would be built with private and not taxpayer funding. Following the vote, the Board continued to expend Town funds on improvements to the property. In November 2010, with knowledge that the RLDC was unable to obtain or generate the necessary funds to complete the project, the Board, by resolution, transferred the property to the RLDC. Although the Town transferred the property, it retained responsibility to pay for the $8.4 million in debt associated with the original purchase of the property and subsequent improvements, which are estimated to be an additional $27 million. As a result of this decision, Town taxpayers have liability, or potential liability, for as much as $35.4 million2 in costs associated with a property the Town no longer owns. In February 2011, the Board passed a resolution agreeing to serve as guarantor of $25 million in short term obligations to be issued
2

The cost shown above represents unaudited amounts as of June 8, 2011, and is not the total cost, as the project was ongoing as of this date.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

11 11

by the RLDC with a maturity date not to exceed ve years. Taxpayers had previously indicated that they were opposed to the guarantee of 30-year bonds; in an apparent attempt to avoid the voters opposition and guarantee the RLDC bonds, bonds with veyear terms were agreed upon. Under the guarantee, the Town has agreed to be obligated to pay the principal and interest payments directly, with reimbursement from the RLDC. The Town agreed to a risky guarantee whereby revenues were pledged to pay these liabilities before any other Town payments were made. This could affect payments such as salaries and could impact essential services provided by the Town. Further, this may give RLDC bondholders a prior right to be paid over those holding obligations issued directly by the Town.3 The Town does not have a written agreement with the RLDC outlining how the RLDC will reimburse the Town for the principal and interest on the $25 million bonds that the Town is obligated to pay. To demonstrate the RLDCs ability to reimburse the Town, the bond prospectus indicates that the RLDC is relying on revenues that will be generated from the sale of affordable housing units to reimburse the Town for the principal and interest payments. However, the RLDC obtained loans of approximately $29.9 million that were guaranteed by the Town to build the affordable housing units. These loans must be repaid before any revenues generated from the sale of the units are made available to reimburse the Town for payments related to the $25 million bonds. Further, due to the economic downturn in the housing market, the sale of the housing units may not occur within the anticipated timeframe and estimated sales revenues may not be realized by the RLDC. As a result, the RLDC may be unable to reimburse the Town for the principal and interest payments made on the $25 million bonds.

We understand that several issues related to the stadiums nancing remain in litigation. Therefore, we have not made ndings on underlying legal issues relating to the nancing. Nonetheless, we nd that the transaction raises signicant legal issues, including: 1) The New York State (NYS) Constitution generally prohibits towns from loaning their credit (e.g., guaranteeing loans) to or in aid of any private or public corporation or association; 2) A local government may not submit a proposition to referendum, even upon petition of the voters, unless expressly authorized or required by statute. It is not clear under what statute the resolution was made subject to permissive referendum; 3) The NYS Constitution prohibits towns from making gifts or loans of property to or in aid of private entities. Although characterized by the Town and the RLDC as a Purchase and Sale, the Town received no cash consideration for transfer of property. The purchase price under the transfer agreement was stated as RLDCs development and construction of the Projectand the resulting community benets to be derived therefrom It is unclear whether the purchase and sale is for adequate consideration so as not to constitute an unconstitutional gift by the Town.

12

OFFICE OF THE NEW YORK STATE COMPTROLLER

While there is no written agreement, the RLDC has committed to provide the revenues generated from the sale of affordable housing units to reimburse the Town for the principal and interest payments on the short term obligations issued in connection with the baseball stadium. These excess funds could have been used to fund other RLDC initiatives. This commitment will signicantly impact the ability of the RLDC to further its mission and achieve its stated goals of lessening the burdens of government by undertaking and promoting urban redevelopment initiatives in the Town. As a result of the decisions the Board made, Town taxpayers are now potentially responsible for approximately $35.4 million in expenditures for a property not owned by the Town. Furthermore, the Town has agreed to guarantee an additional $25 million in short-term, ve-year bonds issued by the RLDC, after taxpayers had previously voted against a resolution that guaranteed nancing of 30-year bonds that were to be issued by the RLDC. Feasibility Analysis When implementing a capital project, Board members should ensure that there is a well-dened plan, which evaluates the cost of a project and the potential costs to taxpayers. In an effort to determine the feasibility of the baseball stadium, the RLDC contracted with an outside vendor to perform a feasibility analysis. We reviewed this analysis and found that it was inadequate. We found that the consultant only considered the costs of the structure to be built; it did not consider the total cost of the project. Specically, we found the following: The consultant did not incorporate the cost of the land or necessary property improvements to erect the structure. The consultant chose facilities that were built in 2002 and prior, which resulted in a cost per capacity4 of $3,581. We found projects from 2005 to 2010 with cost per capacity ranging from $3,900 to $6,788. The gures used within the report were not consistent from one section to the next, and gures such as cost per capacity could not be recomputed based upon the information provided.

Capacity is the total amount of seating available; therefore, the cost per capacity represents the amount of money it costs per seat. It is calculated by taking the total cost to build and dividing it by the number of seats.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

13 13

The consultants report also included revenue estimates from the operation of the baseball stadium. The consultant estimated that the baseball stadium would generate approximately $1.2 million in its rst year of operation that would be available to pay debt service. The consultant projected this amount would increase gradually to approximately $1.7 million in year 10. The consultant concluded that $20 million for vertical construction was the maximum amount that could be supported by the projected revenues. In making this assumption, the consultant anticipated that the RLDC would issue 32-year bonds to nance the project. Further, only one of the four Board members stated that he received and reviewed the report; the remaining members did not receive the report at all. The Supervisor, who is also the President of the RLDC, relied upon this analysis to support his decision to construct and operate a baseball stadium. The analysis did not contain sufcient information to substantiate the decision to build the baseball stadium. When the RLDC was unable to obtain nancing consistent with the terms used in the consultants feasibility analysis, the Board chose to move forward with the $25 million bonds described above. The feasibility analysis was not updated to reect the change in nancing. The Town will pay approximately $27.5 million5 in principal and interest payments for these bonds over the next ve years. This is signicantly more than the approximately $7 million the consultant determined the baseball stadium would generate in revenues available for debt service during the same time frame. Therefore, it appears that the RLDC has placed more nancial burden on the Town and taxpayers via these nancial transactions, and the Board moved forward with the project, whose feasibility is questionable. Recommendations 4. The Board should not use the RLDC to, in effect, circumvent procurement and nancing laws that would have applied if the Town directly pursued a capital project. 5. The Board should perform feasibility analyses for future capital projects to determine all costs that will be associated with them. The Board should review these analyses prior to committing to capital projects.

This includes $25 million in principal and $2.5 million in interest.

14

OFFICE OF THE NEW YORK STATE COMPTROLLER

Financial Condition
A local governments nancial condition reects its ability to provide and nance services on a continuing basis. A local government is considered to have sound nancial health when it can consistently generate sufcient revenues to nance anticipated expenditures, and maintain sufcient cash ow to pay bills and other obligations when due, without relying on short-term borrowings. Conversely, local governments in poor nancial condition often experience recurring unplanned operating decits. Persistent unplanned operating decits are usually indicative of poor budgeting and can result in cash ow problems and/or decit fund balances. Cash ow problems often result in the need to borrow monies to nance day-to-day operations. The Town has experienced a series of unplanned operating decits in its general, town-outside village, and part-town highway funds over the last several years. These decits were caused by inaccurate budget estimates and the Boards insufcient monitoring of nancial operations throughout the year. The resulting decline in fund balances has, in turn, caused the Town to experience cash ow problems. The Town has addressed its need for cash in the short-term by using interfund advances. However, the Board has not adequately monitored the funds, which resulted in funds not being paid back prior to the end of the scal year at a comparable interest rate. Unless these budgetary and cash ow problems are addressed, future Town operations could be adversely impacted. Budget Estimates Board members must ensure that there is an adequate process in place to prepare, adopt and amend budgets based upon reasonably accurate assessments of resources that can be used to fund appropriations. When estimating budgeted revenues, the Board and Town ofcials must have current and accurate information. They also should use historical data, such as prior years actual results of operations, to guide them in determining whether revenues and expenditures are reasonable. As illustrated in the table below, the Town has experienced revenue shortfalls in the general fund during scal years 2009 and 2010. While we found that actual expenditures were within budget, Town ofcials overestimated revenues for the past two years.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

15 15

Table 1: General Fund Revenue Shortfalls Description 2009 2010


Budgeted Revenues Actual Revenue Revenue Above/ (Below) Budgeted Revenue $28,501,877 $27,999,302 ($502,575) $32,394,657 $28,867,620 ($3,527,037)

In particular, Town ofcials adopted an unrealistic budget for 2010 that resulted in $3.5 million in revenue shortfalls. For example, Town ofcials overestimated mortgage taxes by $1.4 million, overestimated golf fees by $342,207 and overestimated sales of real property by $586,000. Town ofcials continued to budget unrealistically when adopting the 2011 budget. We reviewed the 76 budgeted revenue lines in the general fund and found that 34 appeared unreasonable based upon historical trend data. For example, the Town budgeted for $510,000 in tennis revenue although it had only received actual revenue of $18,000 in 2010. Town ofcials budgeted for $1,850,000 in golf fees although the Town received only $1,507,793 in 2010. Further, Town ofcials continued to overestimate mortgage taxes; the 2011 budget includes $2,200,000 for this revenue even though 2010 actual revenue was $1,321,126. Estimating a 67 percent growth in mortgage tax revenue is unrealistic. Town ofcials indicated that they review historical data when preparing the budget; however, they did not estimate revenues to reasonably respond to a clear and obvious downward trend or adjust estimates in accordance with the revenue shortfalls in prior years. In addition, we found no indication that the Board monitored actual results compared to the budget during the year. Further, the Supervisor could not provide any explanations for the budget estimates for 2011. Without realistic estimates, there is a risk that the Town will experience further revenue shortfalls and therefore, operating decits. Operating Decits and Fund Balance Budgets are meant to balance revenues and expenditures, so that the local government is able to provide needed services with the resources available. However, the reality is that budgets will rarely work out precisely as planned, which can lead to operating decits if expenditures exceed revenues. An operating decit can be planned for and nanced by appropriating fund balance. An unplanned operating decit results from over-expending appropriations, not receiving budgeted revenues, or a combination of the two. Although operating decits can be planned as a means of prudently using excess accumulated fund balance to nance operations, persistent and recurring operating decits are usually indicative of structurally imbalanced budgets and nancial stress.

16

OFFICE OF THE NEW YORK STATE COMPTROLLER

Fund balance is the difference between revenues and expenditures accumulated over a period of time. The unreserved, unappropriated amount is the portion of fund balance that can be used to manage unexpected occurrences such as emergency repairs, cost and demand uctuations in commodities such as utilities and gasoline, and unanticipated shortfalls in estimated revenues. Inadequate unreserved, unappropriated fund balance limits Town ofcials ability to manage emergencies and other unanticipated occurrences. The Town incurred unplanned operating decits in the general, town-outside village, and part-town highway funds for the scal year ending December 31, 2010. The decits occurred because of unrealistic revenue estimates and Town ofcials failure to monitor and adjust the budget when it became clear that anticipated results would not be achieved. A three-year history of the operating surplus or decit for each of the operating funds is shown in the tables below. Table 2: General Fund Balance 2008 2009
$45,941 $4,501,665 ($391,081) $4,110,584

Description
Operating Surplus/(Decit) Ending Fund Balance

2010
($2,103,899) $2,006,685

The general fund had operating decits of $391,081 and $2,103,899 in 2009 and 2010. The decits occurred because of the Boards unrealistic budgeting practices, as previously discussed, which created revenue shortfalls and decreased fund balance. As a result of the operating decits incurred, the fund balance has declined from $4.5 million to $2.0 million. Table 3: Town-Outside-Village Fund Balance Description 2008 2009 2010
Operating Surplus/(Decit) Ending Fund Balance ($109,385) $676,651 ($503,027) $173,624 ($107,606) $66,018

The town-outside-village funds operating decits stemmed from revenue shortfalls caused by overestimating revenues. For example, in 2010 Town ofcials had revenue shortfalls for building permits totaling $240,807 and for for departmental income totaling $316,374.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

17 17

Table 4: Part-Town Highway Fund Balance Description 2008 2009 2010


Operating Surplus/(Decit) Ending Fund Balance ($169,168) $371,553 ($110,450) $261,103 ($215,068) $46,035

For the part-town highway fund, Town ofcials caused these decits by overestimating revenues and by over-expending budget line items. For example, Town ofcials over-expended the salaries budget line item by $223,305 in 2010. In addition, Town ofcials did not realize revenue totaling $97,674 in the transportation services to other government budget line item. The Town has depleted its fund balances and has limited nancial cushions in the event of an emergency. Further, if the Town continues to experience operating decits, there is a risk that it may need to borrow funds to nance the decit and to nance day-to-day operations. Exceeding Appropriations Formal budgetary accounting is a management control technique used to assist in controlling expenditures. Budgetary accounting techniques are important because the annual budget is a legal compliance standard against which the Towns operations are evaluated. The law requires the Town to maintain separate accounts for each appropriation. The law does not permit the Town to overdraw an appropriation or use a fund or appropriation to pay a claim chargeable to another fund or appropriation. Town ofcials must obtain Board approval before exceeding any appropriation. In scal year 2010, the Town overexpended $6.8 million in individual accounts in the Town's ve major funds. While total expenditures were within the budget, many individual account lines were exceeded, as shown below.

Table 5: Over-Expended Appropriations as of December 31, 2010 Percentage of Total OverDollar Amount Fund Total Accounts Accounts OverExpended Over-Expended Expended
General Fund Police Fund Town Outside Village Highway Town-Wide Highway Part Town Totals 684 116 59 34 42 935 314 58 28 21 15 436 46% 50% 47% 62% 36% 47% $3,716,581 $2,252,264 $102,529 $414,328 $332,145 $6,817,847

18

OFFICE OF THE NEW YORK STATE COMPTROLLER

These over-expenditures occurred for several reasons. First, the nance software used by the Town has settings that would prohibit the creation of requisitions if funds are unavailable; however, these settings are currently disabled, which allows users to create requisitions against funds that are not available. In addition, during the purchasing process, when requisitions become formal purchase orders, there is no control in place to identify requisitions that do not have sufcient funds available. Further, Town ofcials do not provide the Board with regular budget reports for monitoring purposes. However, the Board does approve a year end budget transfer to rectify the over-expenditures and, therefore, should be aware of the issue. Without proper controls, there is a risk that the Towns already declining nancial position may worsen. Inter-Fund Advances General Municipal Law (GML) allows municipalities to temporarily advance monies from one fund to another (with certain restrictions). Towns generally are not authorized to make budgetary transfers between funds that have different tax bases. When Town ofcials advance monies between funds that have different tax bases, they must repay the advance, with a comparable amount of interest, by the end of the scal year in which the advance was made. As a result of the Towns declining nancial position, the Town has depended on inter-fund advances from the other Town operating funds to help nance operations. At scal years ended December 31, 2009 and December 31, 2010, the Town advanced approximately $3.3 million and $3.9 million, respectively, between funds with differing tax bases. Town ofcials did not pay back these funds prior to the end of the scal year. Town ofcials were not aware that the advanced funds were required to be paid back by the end of the scal year. Further, Town ofcials did not repay these interfund advances with a comparable amount of interest. For example, in 2009, the police fund loaned $3.3 million to the general fund. These funds were originally invested in CDs earning 1.45 percent; if these funds had remained in the CDs, they would have earned interest totaling $19,973. Town ofcials only paid the police fund $2,730 in interest. Therefore, the police fund lost $17,243 in interest because it was not paid back with a comparable rate of interest. The Board is responsible for approving all inter-fund advances, and must ensure that all temporary inter-fund advances are repaid by scal year end with interest at a comparable rate to what the fund would have earned if the monies had not been advanced. If repayment does not occur at a comparable interest rate, taxpayer inequities will occur. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 19 19

Recommendations

6. The Supervisor should develop reasonable budget estimates. 7. The Board should monitor its budget continuously and make necessary adjustments to avoid operating decits and continued decline in fund balance. 8. The Board should activate the control feature in the nancial system that prevents requisitions from being created without proper funding. 9. The Board should ensure that funds advanced are paid back in a timely manner and with a comparable rate of interest.

20

OFFICE OF THE NEW YORK STATE COMPTROLLER

Information Technology
Computerized data is a valuable resource that Town ofcials rely on to make nancial decisions. The Towns information technology (IT) system is an essential part of operations used for accessing the Internet, email communication, processing and storing data, and reporting to State and Federal agencies. If the IT system fails, or the data is lost or altered, either intentionally or unintentionally, the resulting problems could range from inconvenient to severe; even small disruptions in electronic data systems can require extensive effort to evaluate and repair. An effective system of internal controls to safeguard computerized data includes policies and procedures that address key aspects of computer use and data security, including system security and the protection of data from loss due to threats or accidents (disasters). The Board and Town ofcials are responsible for establishing, designing, and implementing a comprehensive system of internal controls over the Towns IT system and data to protect these assets against the risk of loss, misuse, or improper disclosure of sensitive data. The Board has not established policies and procedures related to breach notication, disaster recovery planning, and online banking. We also found weaknesses in the Towns internal controls relating to the auto complete function, deactivating terminated user accounts, and limiting personal computer use. Further, the Board has not provided Town employees with security awareness training. These control weaknesses increase the risk that the Towns IT system and electronic data may be susceptible to loss, unauthorized use, or improper disclosure. Breach Notication The law requires local governments to establish an information breach notication policy. The policy should detail how employees would notify residents whose personal, private or sensitive information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure should be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Town personnel in several departments collect social security numbers, drivers license numbers and bank account information for business purposes; however, the Town neither adopted a formal breach notication policy, nor classied its data according to risk.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

21 21

The Director indicated that the she was unaware of the requirement to establish a breach notication policy. Since we made the Director aware, she has begun to identify what personal, private or sensitive data is collected and stored by Town departments and is creating a breach notication policy. Without a formal breach notication policy, the Town may not be able to fulll its legal obligation to notify affected individuals in the event that sensitive information is compromised. Disaster Recovery Town ofcials are responsible for developing and documenting a disaster recovery plan. A good disaster recovery plan addresses a range of potential disruptions. These may include relatively minor disruptions, such as temporary power failures, as well as major disasters such as re or natural disasters that would require reestablishing operations at a remote location. If controls are not adequate, even relatively minor disruptions can result in lost or incorrectly processed data, which can cause nancial losses, expensive recovery efforts, and inaccurate or incomplete nancial or management information. Further, the plan should set forth procedures to ensure Town personnel can either maintain, or quickly resume, mission-critical functions. Town ofcials have not developed and documented a formal disaster recovery plan. We discussed this issue with the Director, who has begun to investigate several different approaches to protect the data. When she determines the most cost-effective plan for the Town, she will meet with the disaster preparedness committee. If the Town experiences a major disruption, without a formal disaster recovery plan, Town personnel have no guidelines or plan to follow to resume mission-critical functions. Auto Complete Setting The auto complete feature in Internet Explorer can save web addresses, form data, and login information such as usernames and passwords. Typically, web browsers and applications store the login credentials if the auto complete option is enabled. Work stations store the user names and passwords in locations that are easy to access. A user name and password provides access to applications that are solely for that users purpose; this information will be automatically entered every time the employee visits the website. The employees information also will be automatically entered for anyone else who uses the employees computer and accesses the same web sites. When a users name and password can be accessed, there is a risk that someone other than the user who gains access to the work station can comprise the login credentials in a matter of seconds. The auto complete setting was enabled on the Towns online banking computer. This setting automatically populated the user name and 22 OFFICE OF THE NEW YORK STATE COMPTROLLER

password when the rst letter of the users name and password was entered. As a result, the Town is at risk that unauthorized users can sign on, access banking information, and compromise nancial data. When we notied the Director, she immediately disabled the auto complete feature. User Accounts Good internal controls include policies and procedures designed to limit access to data. Town employees are assigned user accounts that enable them to access the network. All changes to user accounts, including additions, deletions, and modications, should be authorized and approved in writing by an appropriate Town ofcial. It also is important for user accounts to be deactivated as soon as employees leave Town service. The Town does not have written policies for deactivating user accounts. The process used by the Town for terminating access to the Towns network and nancial system is inadequate. The Human Resources Department does not formally notify the IT Department when an employee leaves Town service, so the IT Department must contact Human Resources to conrm the employee has left. An IT staff member must disable the account on the day the employee is terminated. In addition, the Director indicated that, once a year, the Department requests a list of all terminations for the year from Human Resources and deactivates terminated employees from the system. We reviewed the list of 496 network user accounts on the Towns active directory and 66 user accounts on the Towns nancial software to determine if employees who had left Town service were still on the list of active users. We found three users on the active directory and 12 users on the nancial software whose accounts had not been disabled after they left Town service. The duration of time these employees have remained active on active directory was 30 to 827 days; one employee who left Town service 15 years ago was still active on the nancial software. In addition, we found that two users out of 12 who had left Town service remained on the nancial system following the Departments year-end review. Therefore, the yearly review was inadequate, and the Town did not have another procedure in place to periodically evaluate the user accounts on the active directory or the nancial system. When we informed the Director of our ndings, she immediately deactivated these users. Failure to promptly remove the access rights of inactive employees increases the risk that unauthorized users could inappropriately gain access to a system and change, destroy, or manipulate condential and/or critical data.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

23 23

Inappropriate Computer Use

To help protect the Towns computing environment, the Board adopted an acceptable-use policy governing employees use of Town computers. This policy restricts the use of the Towns computer systems to business use only; personal use of the system is prohibited. Generally, Town-owned resources, such as computers, must be used primarily for Town purposes. However, as with the use of a telephone, occasionally it may be necessary for Town personnel to use computers, e-mail or an Internet connection during the business day for personal matters. Sound business practice requires Town personnel to keep the frequency and duration of such occasional personal use to a minimum to avoid interfering with their job performance. The Town owns approximately 220 computers and has Internet content lters on its network servers to block access to certain websites. The Towns Internet content ltering software logs information relating to users and the domains visited. We selected domains that did not appear to be job-related, which included dating websites, porn websites and social media websites from the usage report. We identied 161 computers that were used to access all or most of these web sites. We selected six of the 161 computers with the most activity for additional testing, and found that these computers were used to access domains such as youtube.com, facebook.com, ebay.com, match.com, hsn.com, turbo tax.com and craiglist.com during work hours. Without proper monitoring and control over Internet content lters, there is an increased risk that Internet usage will be more than incidental or occasional. Based upon our nding, in October 2010, the Director made changes to the Internet content lter to deny access to certain websites. Further, we compared two dates in September 2010 to two dates in November 2010 and found that the percentage of time that the six computers tested spent accessing web sites decreased by 46 percent as a result of the changes implemented by the Director.

Information Security Awareness Training

Security Awareness Training is designed to educate users on the appropriate use, protection and security of information, individual user responsibilities, and ongoing maintenance necessary to protect the condentiality, integrity, and availability of information assets, resources, and systems from unauthorized access, use, misuse, disclosure, destruction, modication, or disruption. The Board has not provided employees with information security awareness training. We interviewed eight of the 13 employees using online banking to determine if they have been provided with security awareness training. All eight employees indicated that the Town had not provided them with training. In addition, users were accessing

24

OFFICE OF THE NEW YORK STATE COMPTROLLER

the online banking with desktop shortcuts and were not cleaning out their temporary Internet les or web browser cache after completing an online banking session, which increases the risk of unauthorized access. By failing to provide security awareness training, there is an increased risk that employees will not understand their responsibilities on how to appropriately protect the computer system. As a result, the data and computer resources they have been entrusted with will be at greater risk for unauthorized access, misuse or abuse. Banking Policy Effective internal controls over online banking include policies and procedures to properly monitor and control online banking transactions. A comprehensive online banking policy clearly describes the online banking activities the Town will engage in, species which employees have the authority to process transactions, establishes a detailed approval process to verify the accuracy and legitimacy of transfer requests, and requires a monthly report of all online banking transactions. It is important that someone independent of the online banking process review this report and reconcile it with the monthly bank statement to verify that all transactions were properly approved and appropriate. The Town has not adopted an online banking policy. Without proper controls over online banking processes, Town funds will be at increased risk of being stolen through cyber fraud activities. 10. The Board should develop and adopt a formal breach notication policy. 11. The Board should implement a formal disaster recovery plan to address the possible loss of data in the event of a disaster. 12. The Director of Automated Systems should ensure that the auto complete setting is disabled on all computers. 13. The Board should establish formal policies and procedures for the addition and deletion of user accounts. 14. The Director of Automated Systems should monitor Internet usage for inappropriate content. 15. The Board should provide ofcers and employees with information security awareness training. 16. The Board should adopt an online banking policy.

Recommendations

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

25 25

APPENDIX A RESPONSE FROM TOWN OFFICIALS


The Town ofcials response to this audit can be found on the following pages.

26

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 1 Page 50

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

27 27

See Note 1 Page 50

See Note 2 Page 50

See Note 2 Page 50

28

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 3 Page 50

See Note 3 Page 50

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

29 29

30

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 4 Page 50

See Note 5 Page 50

See Note 6 Page 51

See Note 7 Page 51

See Note 8 Page 51

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

31 31

See Note 9 Page 51

See Note 10 Page 51

See Note 11 Page 52

32

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 12 Page 52

See Note 13 Page 52

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

33 33

See Note 14 Page 52

See Note 15 Page 52

34

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 16 Page 53

See Note 17 Page 53

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

35 35

See Note 18 Page 53

36

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 19 Page 54

See Note 20 Page 54

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

37 37

See Note 21 Page 54

See Note 22 Page 54

See Note 23 Page 54

38

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 23 Page 54

See Note 24 Page 56

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

39 39

See Note 23 Page 54

See Note 23 Page 54

See Note 23 Page 54

40

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 23 Page 54

See Note 23 Page 54

See Note 23 Page 54

See Note 25 Page 56

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

41 41

See Note 23 Page 54

See Note 26 Page 56

42

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 27 Page 56

See Note 28 Page 56

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

43 43

See Note 29 Page 56

44

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 30 Page 56

See Note 31 Page 57

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

45 45

See Note 32 Page 57

See Note 32 Page 57

See Note 32 Page 57

46

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 32 Page 57

See Note 33 Page 57

See Note 33 Page 57

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

47 47

See Note 34 Page 57

48

OFFICE OF THE NEW YORK STATE COMPTROLLER

See Note 35 Page 57

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

49 49

APPENDIX B OSC COMMENTS ON THE TOWN OFFICALS RESPONSE


In response to concerns raised and observations made about our audit in the Town ofcials letter, we provide the following information.

Note 1 Our transmittal letter does not state that the report may be inaccurate or incomplete, as stated in the Towns response. The transmittal letter states, If you believe anything in the preliminary draft ndings may be inaccurate or incomplete, please feel free to contact me. Further, in accordance with our policy, the report was disseminated to only Town ofcials, not to the general public. The report provides an accurate representation of the Towns nancial transactions and condition; it does not contain faulty conclusions and misrepresentations. Appendix C includes our audit methodology and standards used in determining our audit ndings. Note 2 We removed from the objective to ensure compliance with taxpayer wishes, as a result of Judge Linda S. Jamiesons September 22, 2011 decision. The remaining notes to the response provide evidence that our audit results are accurate and properly summarize the ndings cited in the report. Note 3 The Towns response does not specically address the Boards knowledge about the baseball stadium. When we met with Board members, they indicated that they did not know how much the baseball stadium would cost the taxpayers or how it would be paid for. Further, Board members stated that they did not receive the nancial information, including contracts necessary to make sound decisions, even when requested. Note 4 Town Board Resolution 2010-149 states the Town has proposed the construction of a balleld known as Project Grand Slam. It further states that the RLDC will assist the Town of Ramapo in the development of Project Grand Slam, indicating that this is clearly a Town project. Further, comments in the audit report clearly represent statements made by Board members. Note 5 By using the RLDC to construct the stadium, the Supervisor and Board, in effect, circumvented the procurement laws that would have applied if the Town directly pursued the project. The report does not address whether the RLDC acted in accordance with its own procurement policies.

50

OFFICE OF THE NEW YORK STATE COMPTROLLER

Note 6 The paragraph does not imply that the Town manipulated the RLDC; it states that, by using the RLDC, Town ofcials, in effect, circumvented the procurement laws that would have applied if the Town directly pursued the project. Moreover, our reference to the Wicks Law was based on statements made to us by Board members to the effect that the stadium could be built at a lower cost by the RLDC, which did not have to comply with the Wicks Law. Also, while it is true that the separate specication requirement of the Wicks Law does not apply to local governments that provide for a project labor agreement in accordance with the requirements of Labor Law 222, other statutory procurement requirements would still apply to the local government. Note 7 Judge Jamiesons statement on the broad powers of LDCs relates to whether the purpose for which the land was transferred to the RLDC fell within the powers of an LDC under the Not-For-Prot Corporation Law. It did not relate to the propriety of the procurement process used to construct the stadium. In fact, the court did not address any such procurement issue. Further, the paragraph referenced in no way implies that the RLDC acted improperly, but rather is directed at actions of Town ofcials. Note 8 The reference to the State Constitution is merely a generic statement of the general prohibition against loans of credit by towns. With respect to the exception for urban renewal projects, article 18, 2 of the State Constitution does not provide a blanket exception for town loans of credit for urban renewal purposes. Rather, it provides that the State Legislature may authorize towns to guarantee principal and interest on indebtedness contracted by public corporations for urban renewal purposes. The State Legislature has implemented this grant of authority by authorizing towns, subject to referendum requirements, to guarantee loans of municipal urban renewal agencies established pursuant to article 15-A of the General Municipal Law, which are public benet corporations (General Municipal Law 503-a, 553, 559). Note 9 Board members indicated that the Town Supervisor did not provide them with evidence that other nancing was available. The Town transferred the property in November 2010, after the taxpayers voted down the proposal for a 30-year guarantee of the RLDC nancing. Given that, in February 2011, the Board once again voted to guarantee the nancing with a shortened, more risky term. This action indicates that more favorable terms were not available, as stated. Note 10 The statement in the report that Town taxpayers have liability or potential liability for as much as $35.4 million in costs associated with property the Town no longer owns has nothing to do with the $25 million of bonds issued by the RLDC and guaranteed by the Town. The $35.4 million is comprised of the $8.4 million that the Town spent to acquire the stadium property plus the additional $27 million of Town moneys that were spent to improve the property. DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY 51 51

Note 11 The report states that Town taxpayers have a potential liability associated with property the Town does not currently own, but we did not address whether Town taxpayers may receive a benet from the property transfer. Moreover, Judge Jamiesons decision did not address whether taxpayers, in fact, are receiving tangible benets from the stadium project. Rather, the context of her decision addressed whether the project fell within the powers of an LDC under the Not-For-Prot Corporation Law, and stated that providing for additional employment is one of things that the stadium project was intended to do. Note 12 The word guarantor is a direct quote from the Board resolution itself. The role of a guarantor typically is to become liable only in the event of a default by the principal. To the extent the use of quotation marks around the word guarantor could be construed to imply that the Town is the party principally liable to bondholders, as we understand the Town Guaranty, the Town has agreed to pay debt service in the rst instance. The ofcial bond statement species that the interest payment due September 15, 2011 will be paid with interest from the bond proceeds. Therefore, we question whether actual RLDC funds were used to make the rst payment as indicated. With no agreement between the Town and RLDC outlining how the RLDC will reimburse the Town for the principal and interest payments it will make on behalf of the RLDC, the short-term nature of the bonds, and questionable revenue stream slated to make the payments, it seems to us that the Town effectively is principally liable. Note 13 The report does not make ndings on the underlying legal issues relating to the guarantee. However, the Town has agreed to guarantee $25 million in short-term, ve-year bonds issued by the RLDC. We view this as an apparent attempt to avoid the voters opposition to the guaranteed nancing of 30-year bonds that were to be issued by the RLDC by reconguring the transaction as a ve-year guarantee, which the Town believed was not subject to voter approval. Note 14 The footnote merely sets forth several legal issues raised by the transaction. Judge Jamiesons April 4, 2011 and September 22, 2011 decisions addressed specic causes of action brought by petitioners and, as we read these decisions, they did not address on the merits the issues raised in the footnote, including whether there was underlying authority for the permissive referendum. In the context of a post-audit, mentioning that these issues are raised by the transaction is appropriate. Note 15 As shown in the table below, taken from the Ofcial Statement for the RLDC Bonds (Appendix H, Anticipated Redemption of the Bonds), none of the revenues from the housing project have been pledged to the bonds. Further, as shown below, the payment of the $29.9 million in Town-guaranteed debt will occur during 2012 and 2013. As illustrated, the Town-guaranteed debt is deducted from revenues to arrive at the net amount available to reimburse the Town for the payments of principal and interest. Further, the revenues illustrated are estimates and may not be realized as anticipated. 52 OFFICE OF THE NEW YORK STATE COMPTROLLER

Note 16 The audit report represents an audit of the Town, not the RLDC. Therefore, there is no guarantee as to whether the revenues anticipated will be realized. The Town had the opportunity during the audit and accompanying this response to provide actual documentation of such sales, and failed to do so. Note 17 The report is factual. If the funds were not being used to pay for the stadium, they would be available for other RLDC initiatives. Therefore, the commitment of these funds to pay for principal and interest payments on the bonds issued for the baseball stadium impacts the RLDCs ability to further its mission. Further, the paragraph properly represents the results of the actions taken by Town ofcials. Note 18 The report states that Town taxpayers are potentially responsible for approximately $35.4 million in expenditures on the stadium property and that Town also guaranteed $25 million in bonds issued by the RLDC. The $35.4 million is comprised of the $8.4 million that the Town spent to acquire the stadium property plus an additional $27 million of Town moneys that were spent to improve the property. By guaranteeing the RLDCs bonds, the Town is as least potentially liable for another $25 million in stadium costs. Therefore, based just on these facts, Town taxpayers are responsible, or potentially responsible, for a minimum of $60.4 million in connection with the stadium. Moreover, whether the RLDC has the intent or the means to pay the debt service on its bonds relates to the likelihood that the Town will have to honor its guarantee, not to the existence of the Towns potential liability on those bonds.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

53 53

Note 19 Only one of the four Board members stated that he received and reviewed the consultants report; the remaining members did not receive the report at all. Further, Town ofcials did not provide us with any evidence, such as plans, analysis or other documentation that further review or analysis was performed. Note 20 As stated in the Ofcial Statement on the RLDC bonds, none of the revenues from the housing project have been pledged to the bonds. In addition, there is no agreement between the Town and RLDC outlining how the RLDC will reimburse the Town. Further, revenues may not be realized as anticipated. Appendix H of the Ofcial Statement, which sets forth the anticipated redemption of the bonds, expressly states that [t]here is no assurance that the schedule of Anticipated Redemption will occur as expected and, in fact, shows a shortfall in RLDC revenues to reimburse the Town for 2016. Therefore, it does appear that the RLDC has placed a nancial burden or, at the very least, a potential nancial burden, on the Town and taxpayers, greater than that initially envisioned in the feasibility study. Note 21 As stated in the report, the Town has experienced a series of unplanned operating decits in its general, town-outside-village, and part-town highway funds over the last several years. An operating decit results when expenditures exceed revenues during the scal year, and is different than a fund balance decit. Fund balance is the difference between revenues and expenditures accumulated over a period of time. When an operating decit exceeds available fund balance, a fund balance decit occurs. Further, inter-fund transfers were not repaid at a comparable interest rate. For example, as stated in the report, in 2009, the police fund lost $17,243 in interest because it was not paid back with a comparable rate of interest for its inter-fund transfer to the general fund. Note 22 The Towns required pension contributions are a factor of the national economic recession and individual Town decisions, such as salary levels, stafng levels, and specic pension options it has chosen. Note 23 The 2010 amounts referred to in the draft report were based on unaudited amounts obtained from the Towns nancial system. These amounts represented the most current information available to us and Town ofcials at the time of our eldwork, and were the information that Town ofcials had available to them upon which they based decisions. The independent audit of the Town's nancial statements for the year ended December 31, 2010 referred to in the Town's response were not received by the Town until after we had completed our eldwork. Town ofcials subsequently provided us with the audited nancial statements that they referred to in their response. The nancial statements report that the Town depleted its fund balance in 2010, resulting in a net change of ($15,544,380) in fund balance. We reviewed the statements and included the audited numbers in the nal report. Following is our response to the Towns comments: 54 OFFICE OF THE NEW YORK STATE COMPTROLLER

Town Comments 2 and 3 in the Financial Condition Section: The audited nancial statements (page 60) report a shortfall of $3,527,037, not $1,226,687. We changed the report to reect the audited numbers. Town Comment 3 in the Financial Condition Section: The draft report indicated that $1.85 million was budgeted for golf revenues and only $1.5 million was received. We revised the report to reect the difference of $342,207. The audited nancial statements indicate a sale of real property of $314,000; therefore, we changed the $900,000 reported in the draft report to $586,000. Town Comment 5 in the Financial Condition Section: The Town incurred operating decits in these three funds. Page 19 of the audited nancial statements reports that the general and town-outside village funds had operating decits in 2010, and page 73 reports the part-town highway fund had a decit. Prior year fund balance was applied to render positive fund balance in these funds in 2010. We deleted the statement that these funds now have decit fund balances from the report. Town Comments 6 and 7 in the Financial Condition Section: Page 60 of the audited nancial statements reports revenues, not fund balance. Page 16 of the nancial statements reports a negative change in fund balance of $2,103,899. Therefore, the fund balance was reduced from over $4 million to $2 million in 2010. The report is changed to reect the $2 million fund balance amount. Town Comment 8 in the Financial Condition Section: Page 19 of the audited nancial statements reports a decit of $107,606, not a surplus. The decit of $107,606 was applied to the $173,624 fund balance. Therefore, the fund balance was reduced to only $66,018 in 2010. These numbers are incorporated into the report. Town Comment 9 in the Financial Condition Section: We revised the building permit gures in the nal report to reect the gures reported in the audited nancial statements. We also deleted our discussion of the sales tax gures from the nal report. However, while the audited nancial statements report that the sales tax gures exceeded the budget, the Town had a revenue shortfall for departmental revenue totaling $316,374. We included this departmental revenue shortfall in the nal report. Town Comment 10 in the Financial Condition Section: Page 73 of the audited nancial statements reports a net negative change in fund balance of $215,068, not $251,068. Therefore, the fund balance was decreased from $261,103 in 2009 to only $46,035 in 2010. We revised the report to reect these numbers. Town Comment 12 in the Financial Condition Section: The Town has depleted its fund balance, as illustrated in the audited nancial statement. The word negative is removed from the report.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

55 55

Note 24 We emailed the Supervisor on April 19, 2011 and requested that he provide explanations for the 2011 budget estimates in question. Neither the Supervisor nor the Finance Department provided any explanations. Note 25 The numbers in the report were not changed, as this number was not supported by the audited nancial statements. In addition, the $97,674 in revenue that was not realized is listed in the Towns nancial system as account 2221003, transportation services to other governments, specically the Village of Monsey. Note 26 The signicance of the budget lines being over budget is that the law does not permit the Town to overdraw an appropriation or use a fund or appropriation to pay a claim chargeable to another fund or appropriation. Town ofcials must obtain Board approval before exceeding any appropriation. This demonstrates the Supervisors failure to obtain Board approval prior to overspending individual budget appropriations. Note 27 There is no effective review process in place, as depicted in the report. In addition, the fact that the Town over-expended $6.8 million in 935 individual accounts in the Town's ve major funds demonstrates a lack of controls over the Towns nances. Note 28 When Town ofcials advance monies between funds that have different tax bases, they must repay the advance, with a comparable amount of interest, by the end of the scal year in which the advance was made. Repayments of advances were made in February of the following year, which is not within the scal year the advances were made. With regard to the interest, the funds were taken from a CD to be made available for use by the other funds; therefore, the advancing fund should have been repaid with the rate of interest of the CD. Note 29 Town ofcials did not comply with the law and pay back the funds prior to the end of the scal year with a comparable amount of interest. Note 30 Town ofcials have not developed and documented a formal disaster recovery plan pertaining to information technology. The plan mentioned in the Towns response does not address information technology.

56

OFFICE OF THE NEW YORK STATE COMPTROLLER

Note 31 During the audit, we observed that the room where the designated computer was located was left open and unlocked. Further, while observing the wire transfers being performed, we observed that the online banking password automatically populated; therefore, there is a risk that unauthorized users can sign on, access banking information and compromise nancial data. Note 32 The Town does not have written policies for deactivating user accounts, and the process used by the Town for terminating access is inadequate, as evidenced by the excessive number of active user accounts left remaining after Town ofcials year-end review. Further, failure to promptly remove the access rights of inactive employees increases the risk that unauthorized users could inappropriately gain access to a system and change, destroy, or manipulate condential and/or critical data. Note 33 During the audit, we obtained the Towns user activity report, which listed all the websites visited by Town employees. We advised Town ofcials of inappropriate computer use by Town employees and recommended that the web content lter be further restricted. After Town ofcials implemented our recommendation, we found a decrease in the employees visits to these sites. We acknowledge that web lters can exaggerate time spent on sites; therefore, we did not report the total time spent visiting these sites. In addition, the pornographic sites visited were not limited to Town police; Town employees also visited these sites. Note 34 Town employees were not provided security awareness training; therefore, the data and computer resources they have been entrusted with will be at greater risk for unauthorized access, misuse or abuse. Note 35 The Town should adopt policies and procedures to guide staff in areas of operations (such as online banking) where there is high inherent risk of fraud, waste or abuse, or where staff would benet from specic guidance to perform their duties. This helps to ensure that public funds are used prudently and in the best interest of the taxpayers.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

57 57

APPENDIX C AUDIT METHODOLOGY AND STANDARDS


Our overall goal was to assess the adequacy of the internal controls put in place by ofcials to safeguard Town assets and monitor nancial activities. To accomplish this, we performed an initial assessment of the internal controls so that we could design our audit to focus on those areas most at risk. During the initial assessment, we interviewed Town ofcials, performed limited tests of transactions, and reviewed pertinent documents such as Town policies, Board minutes, and nancial records and reports. After reviewing the information gathered during our initial risk assessment, we determined where weaknesses existed, and evaluated those weaknesses for the risk of potential fraud, theft and/or professional misconduct. We focused our audit testing on those areas most at risk, which included the ball stadium, nancial condition and information technology. To accomplish our audit objective and obtain relevant audit evidence, our procedures included the following: We reviewed Board minutes to determine the timing and nature of events. We reviewed all contracts associated with the initial purchase of the ball stadium and subsequent transfer to the RLDC, RLDC articles of incorporation and by-laws, memorandum of understanding between RLDC and Bottom 9 baseball, feasibility analysis provided to the RLDC, pertinent Board resolutions, lawsuit led by taxpayers and corresponding decision and order, RLDC ofcial bond statement. We interviewed the Town Supervisor, Town Attorney and Town Board members. We obtained and reviewed information pertaining to the expenditures made by the RLDC and the Town. We obtained revenue and expenditure comparison reports for the scal years ending 2008 through 2011 and analyzed the budgets when compared to actual, operating surplus/decits, and 2011 budget estimates and trend for those years. We analyzed fund balance for the scal years ending 2008 through 2010. We examined the inter-fund advances and reviewed Board resolutions authorizing them. We further examined bank statements for affected funds. We interviewed the Director of Automated Systems and other appropriate Town ofcials. We interviewed and observed employees who use online banking. We obtained and reviewed Town policies and procedures related to information technology.

58

OFFICE OF THE NEW YORK STATE COMPTROLLER

We reviewed the conguration of the Towns Internet content lter and obtained reports summarizing usage. We further reviewed additional logs related to usage, as well as, the Towns default domain policy and other applicable computer policies setup. We reviewed a usage report produced by the ltering program. We compared Internet content lter conguration from risk assessment to current settings of Internet content lter. We obtained the list of user accounts setup in the active directory and compared them to the current staff list. We audited multiple computers, consisting of running win audit software, examining temporary Internet les, cookies, and Internet history.

We conducted this performance audit in accordance with generally accepted government auditing standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufcient, appropriate evidence to provide a reasonable basis for our ndings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our ndings and conclusions based on our audit objectives.

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

59 59

APPENDIX D HOW TO OBTAIN ADDITIONAL COPIES OF THE REPORT


To obtain copies of this report, write or visit our web page:

Ofce of the State Comptroller Public Information Ofce 110 State Street, 15th Floor Albany, New York 12236 (518) 474-4015 http://www.osc.state.ny.us/localgov/

60

OFFICE OF THE NEW YORK STATE COMPTROLLER

APPENDIX E OFFICE OF THE STATE COMPTROLLER DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY
Steven J. Hancox, Deputy Comptroller Nathaalie N. Carey, Assistant Comptroller

LOCAL REGIONAL OFFICE LISTING


BINGHAMTON REGIONAL OFFICE H. Todd Eames, Chief Examiner Ofce of the State Comptroller State Ofce Building - Suite 1702 44 Hawley Street Binghamton, New York 13901-4417 (607) 721-8306 Fax (607) 721-8313 Email: Muni-Binghamton@osc.state.ny.us Serving: Broome, Chenango, Cortland, Delaware, Otsego, Schoharie, Sullivan, Tioga, Tompkins Counties NEWBURGH REGIONAL OFFICE Christopher Ellis, Chief Examiner Ofce of the State Comptroller 33 Airport Center Drive, Suite 103 New Windsor, New York 12553-4725 (845) 567-0858 Fax (845) 567-0080 Email: Muni-Newburgh@osc.state.ny.us Serving: Columbia, Dutchess, Greene, Orange, Putnam, Rockland, Ulster, Westchester Counties

BUFFALO REGIONAL OFFICE Robert Meller, Chief Examiner Ofce of the State Comptroller 295 Main Street, Suite 1032 Buffalo, New York 14203-2510 (716) 847-3647 Fax (716) 847-3643 Email: Muni-Buffalo@osc.state.ny.us Serving: Allegany, Cattaraugus, Chautauqua, Erie, Genesee, Niagara, Orleans, Wyoming Counties

ROCHESTER REGIONAL OFFICE Edward V. Grant, Jr., Chief Examiner Ofce of the State Comptroller The Powers Building 16 West Main Street Suite 522 Rochester, New York 14614-1608 (585) 454-2460 Fax (585) 454-3545 Email: Muni-Rochester@osc.state.ny.us Serving: Cayuga, Chemung, Livingston, Monroe, Ontario, Schuyler, Seneca, Steuben, Wayne, Yates Counties

GLENS FALLS REGIONAL OFFICE Jeffrey P. Leonard, Chief Examiner Ofce of the State Comptroller One Broad Street Plaza Glens Falls, New York 12801-4396 (518) 793-0057 Fax (518) 793-5797 Email: Muni-GlensFalls@osc.state.ny.us Serving: Albany, Clinton, Essex, Franklin, Fulton, Hamilton, Montgomery, Rensselaer, Saratoga, Schenectady, Warren, Washington Counties

SYRACUSE REGIONAL OFFICE Rebecca Wilcox, Chief Examiner Ofce of the State Comptroller State Ofce Building, Room 409 333 E. Washington Street Syracuse, New York 13202-1428 (315) 428-4192 Fax (315) 426-2119 Email: Muni-Syracuse@osc.state.ny.us Serving: Herkimer, Jefferson, Lewis, Madison, Oneida, Onondaga, Oswego, St. Lawrence Counties

HAUPPAUGE REGIONAL OFFICE Ira McCracken, Chief Examiner Ofce of the State Comptroller NYS Ofce Building, Room 3A10 Veterans Memorial Highway Hauppauge, New York 11788-5533 (631) 952-6534 Fax (631) 952-6530 Email: Muni-Hauppauge@osc.state.ny.us Serving: Nassau and Suffolk Counties

STATEWIDE AND REGIONAL PROJECTS Ann C. Singer, Chief Examiner State Ofce Building - Suite 1702 44 Hawley Street Binghamton, New York 13901-4417 (607) 721-8306 Fax (607) 721-8313

DIVISION OF LOCAL GOVERNMENT AND SCHOOL ACCOUNTABILITY

61 61