Jocelyn E. Strauber, Commissioner of the New York City Department of Investigation (“DOI”), issued the 2023 Annual Anti-Corruption Report on the topic of data integrity — how agencies ensure the accuracy and consistency of their data — and agencies’ use of their data to address fraud, waste and corruption risks. Data integrity is defined as the quality, accuracy, consistency and security of data, the verification of its accuracy and consistency maintained over time and across formats, and the enforcement of rules and standards that prevent unauthorized data alteration. Data integrity is crucial because it ensures the trustworthiness and reliability of data, enabling informed decision-making and efficient operations, and strengthens data security by controlling access and preventing misuse. To the extent agencies use their data in their anti-corruption efforts, data integrity is one component of the effectiveness of those efforts.
DOI’s Annual Anti-Corruption Report is mandated by Executive Order 105 (“EO 105”), which consolidated the Inspector General function within DOI and established the DOI Commissioner as the City’s independent Inspector General, but gave agency heads primary responsibility for maintaining corruption-free agencies, and called upon DOI to assist in their efforts by preparing this annual Report, which summarizes agency-identified corruption vulnerabilities and agencies’ remedial strategies. Since 2020, these annual reports have focused on City agencies’ responses to a corruption-related issue. Unlike other DOI Reports, these annual reports rely primarily on information and analysis supplied to DOI by City agencies, rather than DOI’s own investigative work.
For this Report, DOI analyzed questionnaire responses from 48 agencies. The Report covers the period October 1, 2022 through September 30, 2023. A copy of the Report is attached to this release and can be found on DOI’s Reports page or by clicking here.
DOI Commissioner Jocelyn E. Strauber said, “Maintaining accurate and consistent data and using that data in anti-corruption efforts, are significant responsibilities of every New York City agency. Data, and therefore data integrity, impacts the City’s decision-making, record-keeping, and how agencies serve the public. This Report found that the majority of agencies use data to combat corruption and have practices or written policies designed to protect data integrity, but also found areas where agencies could improve. To that end, DOI recommended that City agencies review their data integrity practices and consider improvements such as memorializing practices in writing, controlling database access, and testing recovery procedures. I thank all the City agencies that responded to our questionnaire for their participation in the creation of this Report and for their commitment to maintaining data integrity."
This Report relies on agencies’ own assessments to provide a broad overview of the approach City agencies are taking to address risks of corruption, misconduct, or other criminal activity. In order to promote candid responses by the participating agencies, the individual responses have been aggregated or anonymized, as appropriate. For this 2023 Report, DOI developed a questionnaire that probed agencies’ approaches to data integrity by posing questions in the following categories:
• Identification – agencies were asked to identify and describe all databases that they control, directly or via contract, for which that agency is the primary user; what type of data each database contains; who owns the database; whether the data is captured manually or electronically; and whether the data is stored on-premises or in the cloud;
• Risk Analysis – agencies were asked to identify the five databases they deem most critical, to describe the data integrity measures in place for those databases, to identify any data integrity risks not addressed by those measures, and whether the agency has written data integrity policies or procedures; and
• Proactivity – agencies were asked whether they use any of their databases for purposes of identifying, preventing, or mitigating risks of corruption, fraud, waste, or abuse; whether they use artificial intelligence for anti-corruption efforts; and whether agencies have staff or units specifically responsible for analyzing, monitoring, or auditing data contained in those databases.
Data integrity is conceptually distinct from cybersecurity, which was the focus of DOI’s 2021 Anti-Corruption Report. Cybersecurity focuses on protecting systems and networks from digital attacks from both external and internal threats. Data integrity refers to preserving the validity and accuracy of data largely from internal threats that can involve internal bad actors or accidental human error. Inaccurate data can lead to poor decision-making and thus government waste; unmonitored data may present an opportunity for internal bad actors to commit acts of corruption and fraud. Proper data integrity policies can help avoid both.
City agencies’ questionnaire responses indicate that most agencies have taken steps to protect the integrity of their data, but the responses also exposed areas in which agencies could improve. The Report found that the majority of City agencies utilize some combination of data integrity best practices, including user-based limitations on access, audit trails, and periodic internal audits. However, agencies self-reported key risks to data integrity. Those risks included lack of role-based permissions and access, increased employee turnover and retention issues, as well as the advanced age of certain database platforms and maintenance of those platforms by third-party, outside vendors.
Thirty agencies indicated that they had written policies or procedures in place governing data integrity, though five of those agencies appear to rely solely on Citywide policies, rather than agency-specific policies on data integrity. A few of those thirty agencies submitted audit policies that did not explicitly mention or address data. Eighteen agencies reported they had no written policies on data integrity, though each of those agencies reported having practices in place to address data integrity—presumably, then, not memorialized in writing.
Thirty-three agencies responded that they do use data to identify, prevent, reduce, or eliminate instances or risks of corruption, fraud, waste, or abuse. Agencies reported methods including cross-referencing datasets against each other to flag issues. Six of the 48 agencies responded that they use artificial intelligence to analyze, monitor, or audit data to prevent corruption, fraud, waste, or abuse. These agencies reported a variety of helpful AI uses, such as algorithm-based evaluations of transaction characteristics to assign a fraud risk score for credit card authorization requests.
Forty agencies had staff responsible for data integrity efforts; eight agencies reported having no staff or units responsible for analyzing, monitoring, and/or auditing data contained in any of the identified databases. Of the 40 agencies with staff, headcounts varied but appeared largely proportional to the size of the particular agency. The experience of those staff members also varied and included a mix of advanced degrees, civil service exams or certifications, and general expertise in the data system itself or experience in City government.
Based on these findings, the Report recommends that City agencies assess their current data integrity policies and practices to evaluate whether they adequately promote data integrity and sufficiently utilize data to address risks of fraud, corruption, and abuse. As part of that assessment, DOI issues the following five recommendations for agencies to consider in light of their specific needs:
-Ensure that the agency has a written data policy that includes provisions regarding data governance, such as access control and disaster recovery procedures. Such data policy should be periodically reviewed and updated as necessary.
• Appoint a data officer responsible for setting the data policy, determining access, and reviewing compliance.
• Where possible, phase out the manual entry of data, moving to electronic input only. With respect to data deletion, limit deletion authority to a small universe of appropriate supervisory staff.
• Control database access based on roles or groups to which individuals are assigned so that access is consistent across similarly situated staff.
• Test and simulate disaster recovery procedures periodically to ensure that they will work as intended when actually needed.
No comments:
Post a Comment