State Comptroller DiNapoli Releases Audits

New York State Comptroller Thomas P. DiNapoli announced today the following audits have been issued.

Metropolitan Transportation Authority: Long Island Rail Road - Non-Revenue Service Vehicles and On-Rail Equipment (Follow-Up) (2024-F-17)

The Metropolitan Transportation Authority's (MTA) Long Island Rail Road (LIRR) Engineering Department is responsible for the overall administration of fleet vehicles-cars, SUVs, trailers, trucks, and vans-as well as the maintenance of 396 pieces of on-rail equipment. A prior audit, issued in May 2023, found Engineering did not have written policies or procedures for keeping its vehicle fleet inventory or performing vehicle maintenance, did not always complete preventive maintenance or the required New York State inspections, and did not do a complete analysis of the cost to lease or purchase the vehicles, finding one vehicle cost $81,000 more over the 58 months it was leased than it would have cost to purchase. The MTA made some progress in addressing the problems identified in the initial audit report. Of the initial report's 13 audit recommendations, three were implemented, four were partially implemented, and six were not implemented.

Metropolitan Transportation Authority - Transformation of the MTA (2022-S-5)

In April 2019, the New York State Legislature enacted changes in the Public Authorities Law requiring the Metropolitan Transportation Authority (MTA) and its affiliated entities to develop and complete a personnel and reorganization plan no later than June 30, 2019. The legislation expected to transform the organization through elimination of redundancies, streamlining processes, and greater collaboration to improve customer service, achieve greater efficiency, and realize cost savings. Auditors found the MTA did not have a working plan for Transformation that identified the tasks to be completed and included specific dates and cost savings. Full Transformation and delivery of the goals the Transformation Plan promised-improved customer service, process efficiencies, and cost reductions-were not supported by the work completed or based on documentation provided by the six departments reviewed.

Department of Corrections and Community Supervision - Controls Over Tablet and Kiosk Usage by Incarcerated Individuals (Follow-Up) (2024-F-28)

To serve the needs of the incarcerated individuals in its custody, the Department of Corrections and Community Supervision (DOCCS) contracted with Securus and its subsidiary JPay Inc. (Provider) to provide access to tablets and kiosks at no cost to incarcerated individuals, which they can use to access DOCCS-approved educational material, purchase DOCCS-approved media, and communicate with family and friends using a fee-based secure messaging system. A prior audit, issued in May 2023, found that DOCCS did not know how many individuals had opted in/out of the tablet program, did not internally monitor the numbers of active tablets at its facilities, did not verify the identity of community members corresponding with incarcerated individuals through secure messaging, did not adequately capture all the risks to incarcerated individuals and others through its secure message content screening process, did not adequately oversee the security and configurations of certain assets, and did not ensure systems were maintained at vendor-supported levels required to preserve the accuracy and integrity of DOCCS information. DOCCS asserted that it was not responsible for the tablet program, which it described as a relationship between the Provider and incarcerated individuals. DOCCS officials made some progress in addressing the problems identified in the initial audit report. Of the report's seven audit recommendations, one was implemented, three were partially implemented, and three were not implemented.

CVS Health - Accuracy of Empire Plan Medicare Rx Drug Rebate Revenue Remitted to the Department of Civil Service (Follow-Up) (2024-F-24)

The Empire Plan is the primary health benefits plan for the New York State Health Insurance Program, administered by the Department of Civil Service (Civil Service). Individuals who are dual enrolled in the Empire Plan and Medicare have their prescription drug coverage under Empire Plan Medicare Rx. CVS Caremark, which contracted with Civil Service to administer the prescription drug program, is required to negotiate agreements with drug manufacturers for rebates, discounts, and other consideration and remit the rebate revenue to Civil Service. A prior audit, issued in June 2023, identified $10,723,916 in rebates due to Civil Service from CVS Caremark. CVS Caremark made some progress in addressing the issues identified in the initial audit, recovering and remitting $419,233 in rebates to Civil Service. Of the initial report's two audit recommendations, one was partially implemented and one was not implemented.

Department of Health - Reducing Medicaid Costs for Recipients Who Are Eligible for Medicare (Follow-Up) (2025-F-8)

Individuals who are eligible or appear eligible for Medicare are required to apply for Medicare as a condition of receiving Medicaid. When Medicaid recipients are also enrolled in Medicare, Medicare becomes the primary payer and Medicaid the secondary, which allows for a significant cost avoidance for the Medicaid program. A prior audit, issued in September 2023, found, from July 2016 through June 2021, 13,318 Medicaid recipients who appeared eligible for Medicare based on age were not enrolled in Medicare. Medicaid could have potentially saved $294.4 million on behalf of these recipients for claims that could have been covered by Medicare as the primary payer. At the time of follow-up, auditors found Department of Health officials made little progress in addressing the problems identified in the initial audit report, and additional actions are needed. Of the initial report's three audit recommendations, one was implemented, one was partially implemented, and one was not implemented.

State Education Department (Preschool Special Education Audit Initiative): UCPA of Cayuga County d.b.a. E. John Gavras Center - Compliance With the Reimbursable Cost Manual (2024-S-10)

UCPA of Cayuga County d.b.a. E. John Gavras Center (Gavras Center), a not-for-profit special education provider located in Auburn, is authorized by the State Education Department (SED) to provide Preschool Integrated Special Class (over 2.5 hours per day) and Preschool Integrated Special Class (2.5 hours per day) education services to children with disabilities who are between the ages of 3 and 5 years. For the three fiscal years ended June 30, 2021, the Gavras Center reported approximately $4.3 million in reimbursable costs for the SED preschool cost-based programs. Auditors identified $625,534 in reported costs that did not comply with requirements.

State Education Department (Preschool Special Education Audit Initiative): The Arc Franklin-Hamilton d.b.a The Adirondack Arc - Compliance With the Reimbursable Cost Manual (2024-S-32)

The Arc Franklin-Hamilton d.b.a. The Adirondack Arc (Adirondack), a not-for-profit special education provider located in Tupper Lake, is authorized by the State Education Department (SED) to provide Preschool Special Class (over 2.5 hours per day) education services to children with disabilities between the ages of 3 and 5 years. For the three fiscal years ended June 30, 2021, Adirondack reported approximately $3.9 million in reimbursable costs for the SED preschool cost-based programs. Auditors identified $76,812 in reported costs that did not comply with requirements.

Erie County Medical Center Corporation - Security Over Critical Systems (2023-S-48)

Erie County Medical Center Corporation (ECMCC) is a leading health care provider and academic medical center in Western New York. ECMCC's IT Security Architecture emphasizes key principles such as the least privilege, data classification, and separation of duties. Auditors identified areas where ECMCC could improve certain security controls to minimize risks associated with unauthorized access to its systems and data. Due to the confidential nature of the audit findings, auditors communicated the details of these findings with eight recommendations in a separate, confidential report to ECMCC officials for their review and comment. ECMCC officials generally agreed with the findings and recommendations and, in several instances, indicated they were planning actions to address them.