New York State Office of the State Comptroller
Thomas P. DiNapoli
Division of State Government Accountability

Oversight of Hazardous Materials
and Waste
State University of New York

Report 2017-S-51

December 2018

 2017-S-51

Executive Summary
Purpose

To determine if SUNY institutions have developed adequate controls to effectively safeguard
campus communities against hazardous materials and waste. This audit covered the period from
January 1, 2015 through May 4, 2018.

Background

The State University of New York (SUNY) is the largest comprehensive system of public education
in the nation, comprising 64 autonomous campuses. In 2015-16, SUNY served nearly 1.3 million
students, with approximately 91,000 faculty and staff. Campuses are located throughout the
State, and SUNY maintains a central administrative office in Albany. For fiscal year 2015-16, SUNY
had a budget of $13 billion, including State support totaling $4 billion, and over $1 billion in total
research activity.
In order to promote a safer and more environmentally responsible SUNY community, SUNY’s
System Administration established the Environmental Health & Safety Office (EHSO). The EHSO
serves as a technical resource to provide tools, training, and communication for the campuses
on best practices and compliance issues, including compliance with SUNY’s own requirements
as well as local, State, and federal regulations for environmental management and occupational
safety and health.
Hazardous materials are defined and regulated in the United States primarily by laws and regulations
administered by the U.S. Environmental Protection Agency (EPA), the U.S. Occupational Safety
and Health Administration, and the U.S. Department of Transportation. Generally, a hazardous
material is any item or agent (biological, chemical, radiological, and/or physical) that has the
potential to cause harm to humans, animals, or the environment, either by itself or through
interaction with other factors.
The EPA and the New York State Department of Environmental Conservation have detailed
regulations defining hazardous waste. The EPA states that, simply defined, a hazardous waste is
a waste with properties that make it dangerous or capable of having a harmful effect on human
health or the environment. Hazardous waste is generated from many sources, ranging from
industrial manufacturing process wastes to batteries, and may come in many forms, including
liquids, solids, gases, and sludge.

Key Findings

• Based on our visits to two University Centers (University at Buffalo [Buffalo] and Stony Brook
University [Stony Brook]) and five campuses (Plattsburgh, New Paltz, Polytechnic Institute [Poly],
Oneonta, and Cobleskill), we found there is significant variation in the adequacy of controls
over hazardous materials.
• At most of the non-university center campuses, we found select areas in which controls over
hazardous materials could be improved. However, these weaknesses were not pervasive
throughout all areas of internal controls. In contrast, the University Centers had weaknesses
Division of State Government Accountability

1

 2017-S-51
throughout all the areas of internal controls we reviewed. For example, Buffalo’s system of
internal controls over hazardous materials purchasing, access, and accounting is inadequate
to provide reasonable assurance that students and campus communities are safeguarded
from exposure. These weaknesses prevent proper monitoring and accounting for hazardous
materials, compliance with legal requirements, and enforcement of restricted access to
hazardous materials.
• SUNY officials have established controls over and complied with hazardous waste regulations
that provide reasonable assurance that students and communities are safeguarded against
exposure to hazardous waste. Officials have implemented controls to safeguard hazardous
waste and comply with standards set forth by the various oversight agencies at the federal,
State, and local levels.

Key Recommendations

To SUNY Administration:
• Provide guidance and support to campus officials in designing and implementing a system of
internal controls that provide reasonable safeguards against intentional or accidental misuse of
hazardous materials.
• Work with campuses to improve controls over access, procurement, or accounting for hazardous
materials as necessary to further reduce risks relating to controls over hazardous materials.
To SUNY Institutions:
• Improve controls over access, procurement, or accounting for hazardous materials as necessary
to further reduce risk relating to hazardous materials. This may include (but not be limited to):
◦◦ Assessing risks to access, procurement, and accounting of hazardous materials and
implementing controls to address them.
◦◦ Monitoring and enforcing compliance with already established procedures in the Chemical
Hygiene Plan, lease agreements, and other university policies.

Other Related Audit/Report of Interest

Department of Environmental Conservation: Selected Aspects of Inactive Hazardous Waste Site
Remediation Cost Recovery (2014-S-14)

Division of State Government Accountability

2

 2017-S-51

State of New York
Office of the State Comptroller
Division of State Government Accountability
December 3, 2018
Kristina M. Johnson, Ph.D.
Chancellor
State University of New York
SUNY System Administration
State University Plaza
353 Broadway
Albany, NY 12246
Dear Chancellor Johnson:
The Office of the State Comptroller is committed to helping State agencies, public authorities, and
local government agencies manage government resources efficiently and effectively. By doing so,
it provides accountability for tax dollars spent to support government operations. The Comptroller
oversees the fiscal affairs of State agencies, public authorities, and local government agencies, as
well as their compliance with relevant statutes and their observance of good business practices.
This fiscal oversight is accomplished, in part, through our audits, which identify opportunities for
improving operations. Audits can also identify strategies for reducing costs and strengthening
controls that are intended to safeguard assets.
Following is a report of our audit entitled Oversight of Hazardous Materials and Waste. The audit
was performed pursuant to the State Comptroller’s authority as set forth in Article V, Section 1 of
the State Constitution and Article II, Section 8 of the State Finance Law.
This audit’s results and recommendations are resources for you to use in effectively managing
your operations and in meeting the expectations of taxpayers. If you have any questions about
this report, please feel free to contact us.
Respectfully submitted,
Office of the State Comptroller
Division of State Government Accountability

Division of State Government Accountability

3

 2017-S-51

Table of Contents
Background 

5

Audit Findings and Recommendations 

8

Hazardous Materials 

8

Hazardous Waste 

16

Recommendations 

16

Audit Scope, Objective, and Methodology 

17

Authority 

18

Reporting Requirements 

19

Contributors to This Report  

20

Agency Comments and State Comptroller’s Comments 

21

State Government Accountability Contact Information:
Audit Director: Brian Reilly
Phone: (518) 474-3271
Email: StateGovernmentAccountability@osc.ny.gov
Address:
Office of the State Comptroller
Division of State Government Accountability
110 State Street, 11th Floor
Albany, NY 12236
This report is also available on our website at: www.osc.state.ny.us
Division of State Government Accountability

4

 2017-S-51

Background
The State University of New York (SUNY) is the largest
comprehensive system of public education in the nation,
comprising 64 institutions (4 of which are University
Centers), including research universities, academic
medical centers, liberal arts colleges, community colleges,
and agricultural and technical institutes across the State.
In 2015-16, SUNY served nearly 1.3 million students and
employed approximately 91,000 faculty and staff. For
fiscal year 2015-16, SUNY had a budget of $13 billion,
including State support totaling $4 billion, and over $1
billion in total research activity.

A variety of hazardous materials are used
at SUNY campuses, including items such
as: cadmium nitrate tetrahydrate, which
may intensify fires, is toxic if swallowed,
is harmful in contact with skin or inhaled,
and may cause cancer; and arsenic oxide,
which may be fatal if swallowed and
harmful if inhaled, causes eye and skin
irritation, and can cause severe respiratory
and digestive tract irritation with possible
burns, blood abnormalities, lung damage,
central nervous system effects, cardiac
disturbances, and liver and kidney damage.

SUNY campuses use hazardous materials, and generate hazardous waste, in a variety of both
classroom-related (e.g., laboratory operations, photo processing) and non-classroom-related
(e.g., facilities operations and maintenance, and construction and renovation) activities. Due to
their properties (e.g., toxicity, flammability, explosiveness, corrosiveness), such substances pose
inherent and potentially large-scale and harmful risks. Robust controls over hazardous materials
are essential to ensure student and campus safety and to protect campus communities and the
environment.
To promote a safer, more environmentally responsible SUNY community, SUNY’s System
Administration (SUNY Admin) established the Environmental Health & Safety Office (EHSO). Led
by the Director of Environmental Health & Safety, the EHSO serves as a technical resource for
the campuses, providing tools, training, and communication on best practices and compliance
with local, State, and federal regulations; as well as
OSHA’s definition of hazardous chemicals is:
any chemical that is classified as a physical SUNY’s own requirements governing environmental
or health hazard, a simple asphyxiant, management, including hazardous materials and
combustible dust, pyrophoric gas, or a hazard waste, occupational safety and health, and building
not otherwise classified. A health hazard is and fire codes. Each campus has designated employees
a chemical that is classified as posing one of
responsible for ensuring its hazardous waste and
the following hazardous effects: acute toxicity
(any route of exposure), skin corrosion or material programs comply with all applicable rules,
irritation, serious eye damage or irritation, regulations, and laws.
respiratory or skin sensitization, germ cell
mutagenicity, carcinogenicity, reproductive
toxicity, specific target organ toxicity (single
or repeated exposure), or aspiration hazard.
A physical hazard is one that is considered
to be explosive, flammable (gases, aerosols,
liquids, or solids), oxidizer (liquid, solid,
or gas), self-reactive, pyrophoric (liquid
or solid), self-heating, organic peroxide,
corrosive to metal, gas under pressure, or
in contact with water emits flammable gas.

In general, a hazardous material is any item or agent
(biological, chemical, radiological, and/or physical) that
has the potential to cause harm to humans, animals, or
the environment either by itself or through interaction
with other factors. Both the U.S. Occupational Safety
and Health Administration (OSHA) and the U.S.
Environmental Protection Agency (EPA) further define
hazardous chemicals and substances (hereafter called
hazardous materials) in greater detail. Hazardous

Division of State Government Accountability

5

 2017-S-51
materials are regulated primarily by laws and regulations administered by the EPA, OSHA, and the
U.S. Department of Transportation. Furthermore, the U.S. Department of Homeland Security’s
(DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program identifies and regulates highrisk chemical facilities to ensure they have security measures in place to reduce the risks associated
with these chemicals. Where quantities of certain hazardous materials maintained on site exceed
CFATS’ established thresholds, campuses are required to report the information to DHS.
Pursuant to regulations promulgated by OSHA (29 CFR 1910.1450), every SUNY campus is
required to have a Chemical Hygiene Plan, a written program stating the policies, procedures, and
requirements to protect workers from the health hazards associated with hazardous chemicals
used in the workplace. The Chemical Hygiene Plan must include, among other things: standard
operating procedures relevant to safety and health considerations for each activity involving the
use of hazardous chemicals; criteria being used to determine and implement control measures
to reduce exposure to hazardous materials (e.g., engineering controls); designation of personnel
responsible for implementing this plan; and provisions for additional worker protection for working
with particularly hazardous substances. SUNY campuses are also required to review and evaluate
the effectiveness of their Chemical Hygiene Plan at least annually and update as necessary.
In addition, as of January 2008, SUNY Admin requires every campus to develop and maintain an
Emergency Response Plan designed to protect life, protect critical facilities, and restore campus
operations in the event of an emergency. Among other requirements, the Emergency Response
Plan must contain:
• An emergency plan for each campus unit that also identifies the individuals (by name or
position) responsible for maintaining and evaluating the sufficiency of the plan.
• A campus-wide hazard analysis that examines the likely hazards that could affect the
campus and forms the basis for the entire emergency planning process.
• A statement signed and dated by the campus president endorsing the Emergency Response
Plan and supporting its implementation.
Although campuses develop their own Chemical Hygiene Plan, tailored to address their specific
needs, each campus’ Plan generally (six of the seven we visited) requires school laboratories
to maintain an inventory of their stores of chemicals and to update the inventory as chemicals
are purchased or removed from service. Because hazardous materials are used daily in labs for
teaching and other activities, maintaining a perpetual inventory is not always feasible. Therefore,
each school designs inventory controls based on the needs of their campus. This may include
monthly or biannual reconciliations by individuals in charge of specific labs or some other campusspecific requirement. State and federal regulations permit this type of inventorying.
School officials may also establish controls over access to, as well as procurement of, hazardous
materials, based on the needs of their campus. This flexibility applies to use of the State’s
procurement card (p-card) system. As established in the Office of the New York State Comptroller’s
Guide to Financial Operations (GFO), SUNY schools are required to use p-cards for small-dollar
purchases (< $500) to facilitate a cost-effective method of procurement beginning April 1,
2018; SUNY schools are otherwise able to establish their own controls based on SUNY Admin
Division of State Government Accountability

6

 2017-S-51
recommendations. While there are inherent benefits and risks associated with p-card programs,
the GFO requires agencies to develop appropriate controls and accountability over procurement,
and offers a tool to assist agencies in assessing controls related to purchasing, receiving, and other
areas. If certain types of purchases are considered riskier than others, SUNY officials may add any
controls they deem necessary to mitigate these risks (e.g., restricting merchant category codes
on p-cards, adding additional layers of review). Adequate internal controls over procurement
may: provide management with reasonable assurance regarding the achievement of operational
objectives; help to establish standards of performance; ensure compliance with laws, regulations,
policies, and procedures; reduce opportunities for fraud and prevent loss of resources; and ensure
public confidence. These controls are all the more critical for purchases of hazardous materials to
ensure accountability – that is, that quantities of purchases are carefully monitored and that only
authorized individuals are making purchases for a necessary business purpose.
Campuses are also responsible for properly managing their hazardous waste, which can include,
for example, spent batteries and solvents, waste laboratory chemicals, waste paints, and waste
oil. As defined by the EPA, hazardous waste is a waste with properties that make it dangerous
or capable of having a harmful effect on human health or the environment. Hazardous waste is
regulated by the EPA and the New York State Department of Environmental Conservation (DEC).
DEC requires the submission of annual reports, and conducts regular inspections for each campus
to ensure it is meeting the requirements for storage and disposal of hazardous waste.

Division of State Government Accountability

7

 2017-S-51

Audit Findings and Recommendations
SUNY officials have established adequate controls over and complied with regulations to provide
reasonable assurance that students and campus communities are safeguarded against exposure
to hazardous waste. However, we determined similar controls over hazardous materials –
specifically, the key areas of access, procurement, and accounting – could be improved. Based
on our visits to two University Centers (University at Buffalo [Buffalo] and Stony Brook University
[Stony Brook]) and five campuses (Plattsburgh, New Paltz, Polytechnic Institute [Poly], Oneonta,
and Cobleskill), we found that, although campuses may have established procedures to manage
these key aspects of control, they were not always followed or enforced. The inherent dangerous
properties of these types of substances aside, control weaknesses create the potential to
jeopardize the health and safety of student and campus communities by accidental or intentional
exposure to these materials.
At most campuses, we found controls that needed improvement. However, with the exception of
the University Centers, the weaknesses we identified were not pervasive throughout all internal
control areas. The University Centers, on the other hand, had control weaknesses in all areas of
internal controls that we reviewed. At Buffalo and Stony Brook – sizable schools that specialize
in medicine and research – undermanaged hazardous materials can pose significant threats. At
Buffalo – SUNY’s largest university – systemic weaknesses undermined proper monitoring and
accounting of hazardous materials, compliance with legal requirements, and enforcement of
restricted access to hazardous materials. Of equal concern was Buffalo officials’ lack of openness
and responsiveness when we brought these issues, and the potential risks, to their attention. The
risk of health and environmental consequences that can result from poorly controlled hazardous
materials – not to mention the liability to the State – should not be underestimated. While we
identified similar issues at Stony Brook, officials, demonstrating a supportive attitude toward
internal controls, were responsive to our findings, and stated they plan to tighten controls.
We recommend that SUNY Admin work with campuses to implement a system of internal controls
over access, procurement, and accounting of hazardous materials to ensure the safety of all their
students, faculty, and community; improve accountability; and mitigate the risks of a significant
event.

Hazardous Materials
Generally, each SUNY school is responsible for establishing its own hazardous materials controls,
including policies and procedures, based on their needs and other factors specific to their campus.
Given their individualized approach to controls, our audit tested a range of criteria, and not all
criteria applied to all schools. For this reason, it is difficult to draw comparisons across schools.
Instead, we present our findings as stand-alone issues of significance for each school.
We focused our testing on access, procurement, and accounting for hazardous materials as well
as completion of certain aspects of the Chemical Hygiene Plan and Emergency Response Plan. We
took these into consideration not only as separate and distinct aspects but also as they factored
Division of State Government Accountability

8

 2017-S-51
into a functioning system of internal controls related to our
audit objective. For those schools that required inventories
under their Chemical Hygiene Plan, we attempted to match
inventory and procurement records to determine if materials
were accounted for. For most campuses, we generally were
able to locate the bulk of the chemicals on their inventory
lists, however, all but one school had hazardous materials
that we could not account for.

University Centers

As previously discussed, accounting
for materials that are continuously
being used can be problematic. The
limitations of material inventorying
were factored into consideration of
the findings and were only a limited
piece of our review of internal controls
as a whole over hazardous materials.
The amount and type of hazardous
materials we could not account for
varied by the schools depending on the
school size and type of chemicals in use.

University at Buffalo
Buffalo’s system of internal controls over hazardous materials purchasing, access, and accounting
is not adequate to provide reasonable assurance that students, staff, and campus communities are
safeguarded from exposure. Where procedures have been established, they are not sufficiently
robust to prevent circumvention. Lacking the necessary controls, Buffalo’s hazardous materials are
vulnerable to mismanagement at the very least and potential exploitation at worst, predisposing
students and the campus community to the risk of exposure.
Access. We tested key access controls for five departments, and found none of the departments
developed their own internal policies, as required by university procedures. Additionally, none
of them maintained a complete or accurate list of master and sub-master keys and key holders’
names. For one department that uses a card entry system, we tested access for a sample of 30
employees. For 27 (90 percent), the department did not maintain any documentation supporting
their authorized access. There is thus no certainty that only authorized employees have access
to areas with hazardous materials and that individuals who could create or increase a hazard do
not. There was also confusion among those individuals charged with maintaining access controls
as to what their responsibilities actually were. Ultimately, there is limited assurance that only
authorized persons have access to areas storing hazardous materials. When we brought these
issues to the attention of school officials, they were not open or responsive to the risk raised,
stating Buffalo is too large to implement an effective key control system.
Procurement. We found there are minimal controls over purchasing of hazardous materials and
limitations to what is recorded by Buffalo’s procurement system. These limitations not only
diminish officials’ ability to monitor and track purchases, but also restricted our ability to fully
test controls over purchases of hazardous materials.
No additional controls over purchasing
Buffalo’s own Electronic Requisition Policy, which was not
provided to auditors until after the draft report was issued,
states all expenses require a business purpose. The policy
further states that the business purpose explanations should
be sufficiently detailed to allow the reviewer to determine
that the transaction was program- or grant-related in nature.
However, during our site visit, Buffalo’s purchasing officials
Division of State Government Accountability

hazardous materials on p-cards
have been implemented. Although
we have seen additional controls
implemented at other schools,
officials stated they accept the risk
that purchases of hazardous materials
may be made by unauthorized
individuals on p-cards and do not
intend to change their processes.

9

 2017-S-51
stated that purchases using Buffalo’s electronic requisition system are reviewed only to ensure
that funds are available and are charged to correct sources – and not for need, reasonability, or
any other factor. Procurement officials further stated, in regards to the purchase of hazardous
materials specifically, no additional controls have been established to mitigate risk, such as
requiring a business justification or pre-approval. Officials stated procurement does not have the
knowledge to determine business justification. In addition, purchasing officials stated that anyone
with a p-card can purchase anything (i.e., there is no difference between the head of finance or
a lab tech). There are no approvals, only the initial granting of a p-card. Furthermore, Buffalo
does not require purchases to be delivered to a central clearinghouse. In fact, Buffalo officials
even noted that purchasers can have any quantity of items, including hazardous material, directly
delivered to their offices or even their homes.
Inventory. Buffalo’s Chemical Hygiene Plan requires laboratories to maintain a periodic inventory of
their hazardous materials. We selected a sample of ten labs to test for the inventory requirements,
but found our ability to test was limited due to Buffalo’s incomplete systems and poor record
maintenance. For example, data for one lab was not usable, and we had to remove the lab from
testing. Of the remaining nine labs, only two met all the requirements of the Chemical Hygiene
Plan. For example, several of the labs’ chemical inventories were missing building, room number,
number of containers, container size, date acquired, physical state of the chemical, etc.
As a result of these inventory and record maintenance deficiencies, we could not determine, nor
could officials provide, assurance that Buffalo’s storage of hazardous materials did not exceed
CFATS’ established thresholds at the time of our visit:
• Buffalo officials could not provide reliable records to determine if purchases were or were
not in line with quantities covered under CFATS.
• Buffalo officials could not provide evidence to verify they had knowledge of any hazardous
materials being maintained on site by entities that lease campus space from the school.
Buffalo’s lease agreements require lessees to provide inventory of materials quarterly to
Buffalo officials. Buffalo officials were not aware of this term in the lease until we brought
it to their attention and did not require inventories be submitted; therefore, none were.
At the closing meeting for this audit and in response to our preliminary findings, Buffalo officials
stated that they have extensive procedures, which they follow, and work closely with DHS to
ensure they meet CFATS requirements. As evidence, officials provided us with a copy of a survey
that they sent to all principal investigators in 2008, requesting Discussions with officials on site
them to list the quantity of any chemicals in their lab covered revealed inconsistencies in stated
under CFATS. Officials also stated they verified the information procedures. For example, contractors
on the survey through audits. While these procedures may sign leases that require them to
have provided assurance of the quantities of CFATS chemicals provide inventories of materials
maintained on site to the campus.
on site in 2008, they are not performed annually. Officials stated However, campus officials say they
that in 2011, DHS no longer required Buffalo to be subject to cannot ask for the information
additional regulatory requirements. They informed auditors because it is proprietary. Nonetheless,
that they verify CFATS materials through lab inspections and they also claim they do walk“other means,” but did not provide support for either. For throughs to gather this information.
Division of State Government Accountability

10

 2017-S-51
confidentiality reasons, they could not provide us with any detailed information. Officials also
noted they perform walk-throughs of contractor space, which would provide the campus with
knowledge of the type and amount of materials stored that may pertain to CFATS, but provided
no information or support to confirm this statement.
Again, after the issue of this draft, SUNY officials provided us with documentation to support
leased space inspections they purported occurred during our audit scope period. However, the
documentation provided minimal assurance that these inspections occurred or would serve to
determine whether Buffalo exceeds CFATS thresholds for hazardous materials.
Plan Documentation. We found that Buffalo has completed its Chemical Hygiene Plan containing
all the required components. However, based on conflicting statements made to us by officials, it
is not clear whether the plan is evaluated annually, as required. During our initial discussions, we
were told the plan was not evaluated annually. Later in the audit, officials stated that the plan is,
in fact, evaluated on a regular basis, but they could not provide evidence to support this.
As of November 2017, Buffalo had not yet completed its Emergency Response Plan – a requirement
that SUNY established in 2008 as a defense against a hazardous materials event. Specifically,
Buffalo officials have yet to complete emergency plans for individual campus units, and have not
identified the individuals (by name or by position) responsible for maintaining and evaluating
the sufficiency of these unit plans. Officials provided us with a “Comprehensive Emergency
Management Plan” drafted in June 2017. However, the document does not address all the
required components. Buffalo officials stated they have established an Incident Management
Team that aligns with DHS’ best practices and also plans and performs emergency drills. However,
while these additional controls may mitigate some risks, they do not suffice in place of a complete
Emergency Response Plan.
When we reported on the various control weaknesses to Buffalo officials, officials were not open
and responsive to the issues we raised. We recognize that Buffalo, like all SUNY campuses, is
allowed to establish a level of control based on campus-specific needs; however, as the largest
university in the SUNY system, and therefore having greater risk and greater stakes, we found
this attitude concerning. It is precisely Buffalo’s size that demands disciplined controls: It is more
vulnerable to misuse, whether intentional or accidental, of hazardous materials as it conceivably
purchases more of these materials than any of the other schools and has the largest student and
faculty population of any campus in the State.
Stony Brook University
We found control weaknesses over access, purchasing, and accounting of hazardous materials
at Stony Brook as well. Consequently, Stony Brook officials have less assurance that the risk of
campus and community exposure to hazardous materials is reasonably mitigated. In response to
our initial findings, officials acknowledged some of these risks and stated they plan on tightening
controls to address some of them.

Division of State Government Accountability

11

 2017-S-51
Access. Based on our testing of two databases used to control key access as well as on-site
observations, we identified weaknesses in Stony Brook’s oversight of access to restricted
hazardous materials areas and little key accountability. For instance:
• In testing key access for a sample of 22 individuals who were identified as currently
possessing keys to hazardous material areas, we found 12 individuals (55 percent) for
whom officials could not provide any documentation that the issuance of a key was
authorized (e.g., no formal key request, no signature acknowledging key receipt).
• Seven of these 12 individuals were no longer employed by Stony Brook. Although school
policy requires employees to return assigned keys prior to issuance of the final paycheck,
officials stated this policy is not enforced at separation.
Our access testing was aligned with our inventory testing, which included areas with hazardous
materials – and which are secured with traditional key locks versus an electronic card system. Our
testing therefore did not encompass access security within the electronic card system, which is in
use in more than half of Stony Brook’s buildings (29 of 47).
During our testing, we identified two locations that may contain hazardous materials and
dangerous biological agents (including one Biological Safety Lab 21) that were inadequately
secured. Despite locks on the doors, we were able to gain entry without keys.
Procurement. As part of our testing, we sought to track Stony Brook’s hazardous materials
purchases, from procurement to receiving to inventory. However, deficiencies in each area
inhibited our efforts.
• Per our request, Procurement officials provided us with a spreadsheet of purchases for
calendar year 2017, but could not assure us that it accounted for  all purchases for a
specific lab because Stony Brook’s system tracks purchases by individuals, not labs. We
found limitations to what is recorded by Stony Brook’s procurement system. Additionally, a
number of people (340) within the school have a p-card, which makes these purchases hard
to track. Stony Brook has not implemented any additional controls over p-card purchases
of hazardous materials, such as requiring a business justification or pre-approvals.
• According to Central Receiving officials, unless specified otherwise, only items bought
using a purchase order go through Central Receiving – purchases made using a p-card do
not. Also, Central Receiving staff “do not check the package” if it is labeled as hazardous.
Therefore, Central Receiving cannot reconcile any aspect of a “hazardous” package’s
contents (e.g., quantity, type of material) with the packing slip or original purchase order.
Inventory. Stony Brook’s current Chemical Hygiene Plan requires staff to maintain a chemical
inventory for each lab. However, we found that lab staff do not always do this. According to
officials, the inventory requirement was added to its plan as a best practice. Rather than enforce
the inventory requirement, officials stated they hope to remove it in a revised Chemical Hygiene
Biological safety labs are classified as level 1, 2, or 3, with level 1 labs housing the least threatening agents and level 3 labs
housing the most dangerous. Level 2 labs contain agents that pose moderate hazards to personnel and the environment. Access
to the laboratory should be restricted when work is being conducted.
1

Division of State Government Accountability

12

 2017-S-51
Plan – a move that would weaken controls rather than comply with existing procedures. SUNY
Admin stated it would support this decision.
We were unable to test controls over CFATS requirements due to confidentiality restrictions.
However, Stony Brook officials stated they have taken the following steps to ensure CFATS
compliance:
• Conducted an initial assessment at all labs and gathered information regarding the
materials related to CFATS to determine if they are at the threshold.
• Developed a program to track all purchases of these materials to ensure they do not
exceed the threshold.
• Established a practice of monitoring based on annual reports from both their hazardous
materials vendor and procurement department related to the purchasing of those specific
chemicals. Stony Brook officials provided us with email correspondence requesting reports
for purchases of hazardous materials covered under CFATS be sent to the Environmental
Health and Safety department (EHS).
We selected a sample of ten labs to test the Chemical Hygiene Plan inventory requirements. Only
four of the ten met all inventory requirements. Of the remaining six labs, five were missing at
least one requirement and one did not have an inventory at all. For example, several of the labs
were missing quantity, location, and manufacturer of the chemicals. Despite these limitations,
for the nine labs with inventories, our testing found that over 90 percent of the materials were
accounted for.
Plan Documentation. We reviewed Stony Brook’s current Chemical Hygiene Plan and found it was
complete and met all the requirements. However, the Chemical Hygiene Plan is required to be
reviewed annually and updated as needed. We were not provided with support that the plan was
reviewed annually and it has not been updated since 2001. Therefore, it may or may not account
for current conditions. Stony Brook’s Emergency Response Plan was complete and up to date.

Non-University Centers
None of the five non-university centers we visited had internal control weaknesses throughout
all areas we tested. However, as was the case with the University Centers, we identified areas
of concern at several of these smaller schools that should be addressed. Although the risk of a
hazardous materials incident might be less for these campuses, the potential impact remains
just as significant. It is thus imperative that the schools take appropriate action to ensure robust
controls in all areas.
Access
We identified access controls to be adequate at Poly and Cobleskill. At New Paltz and Oneonta, we
found controls could be improved, and at Plattsburgh, we didn’t obtain enough documentation to
draw a conclusion on the key system. Key findings for each follow:

Division of State Government Accountability

13

 2017-S-51
• Poly’s procedures over access to designated areas constitute their strongest risk-mitigating
control to safeguard against accidental or intentional exposure to hazardous materials.
◦◦ Access requests are reviewed by the Chief of University Police, in conjunction with the
Director of Facilities.
◦◦ There is appropriate separation of duties as well as controls over temporary and
permanent restrictions. For example, Poly uses a temporary badging system that
automatically discolors the badge after 24 hours.
• Cobleskill maintains a listing of keys. Once a year, the EHS director requires that each
faculty member who was issued a key must present the key before they can receive their
paycheck. Rooms containing hazardous materials were locked during our visit.
• At Plattsburgh, we were not provided with accurate information to draw any conclusion
on the adequacy of the key system.
◦◦ Staff provided documentation for a key system that is no longer in use in the areas
containing hazardous materials, but did not provide information on the system they
are currently using.
◦◦ We reviewed the current card reader system and determined it provides adequate
access controls to those areas where it has been implemented.
• Although New Paltz has established procedures to limit access to hazardous materials in
its labs, certain access controls are not being implemented as intended. For example:
◦◦ Despite signs indicating that rooms should be locked or only accessed by authorized
personnel, we were able to access 16 labs and prep rooms without the use of a key,
card, or assistance from school officials.
◦◦ We were able to physically access hazardous materials that were either on open
shelving or in unlocked cabinets.
◦◦ Officials stated that labs and buildings are generally left open during the day when
classes are in session; however, we note that at the time of our site visit, no classes
were in session, almost all of the rooms we entered were empty, and there were few
people in the building.
• Oneonta has record-keeping procedures regarding the issuing, reissuing, and reconciling of
keys; however, the procedures are not being followed. Because there is no documentation
identifying the employees who were issued keys or employees who are in possession
of particular keys, we were unable to conduct any testing in this area. Without access
controls, Oneonta is vulnerable to unauthorized access to areas containing hazardous
materials, limiting officials’ ability to safeguard against intentional or accidental misuse of
hazardous materials.
Procurement
At our site visits to the five non-university centers, we found Cobleskill, Oneonta, and Poly had
established adequate systems to ensure that purchasing and receiving of hazardous materials are
appropriately controlled. For example, at Cobleskill, the ability to purchase hazardous materials
is limited to two individuals, and the EHS director reviews purchases. Also, certain extremely
hazardous materials require the EHS director’s approval before purchase. At Poly, all hazardous
material purchases go through a robust chain of custody: a listing of materials is approved for
purchase by Poly’s Environmental Health and Services department; once approved, materials
Division of State Government Accountability

14

 2017-S-51
may be purchased by the procurement department or authorized individuals; and, upon delivery,
shipments go through Central Receiving for processing before distribution to the lab.
At both Plattsburgh and New Paltz, we identified weaknesses that may expose the schools to risks.
At Plattsburgh, for instance, one person – the Science Programs and Facility Support Professional
– is responsible not only for placing hazardous materials orders but also receiving the materials
and inventorying them. This lack of segregation of duties across parts of the purchasing process
increases the risk of error, waste, and otherwise inappropriate activity, which can go undetected.
Plattsburgh should consider separating these tasks among employees to reduce these risks.
New Paltz established procurement procedures that were intended to restrict p-card purchasing
of hazardous materials to authorized employees only. However, in reviewing p-card statements
for the period January 1, 2017 through September 30, 2017, we found one instance of an
unauthorized purchase of a hazardous material that officials were unaware of. While officials
acknowledged that this individual should not have been able to make the purchase, they stated
there is a business need for the employee to use the p-card for this hazardous material purchase,
and the employee will be added as an authorized user for these types of purchases.
Inventory
At Poly, the regular (i.e., teaching) labs do not maintain an inventory of hazardous materials, nor
are they required to under the school’s Chemical Hygiene Plan. The remaining four schools are
required by their Chemical Hygiene Plan to maintain inventories. In testing inventories, we found
adequate controls at Plattsburgh and Cobleskill, but found some areas of weakness at New Paltz
and Oneonta. Among our specific findings:
• Cobleskill maintained inventories in accordance with the Chemical Hygiene Plan
requirements, and we were able to locate all of the hazardous materials selected for
review from the school’s inventory during our visit.
• Plattsburgh maintained inventories in accordance with its plan’s requirements, and we
were able to account for 78 percent of the materials selected in our sample.
• New Paltz maintained inventories of materials in all ten rooms we tested, as required by
its Chemical Hygiene Plan. However, at the time of our visit, we were only able to locate
43 percent of the materials in our sample.
• Oneonta officials could only provide us with a partial listing of the labs that contained
hazardous materials. In addition, some of the labs did not maintain an inventory, as
required. We verified inventories of hazardous materials that were available for three
departments, and were able to account for 72 percent of the materials on the lists
provided.
Plan Documentation
All five schools had a complete and current Chemical Hygiene Plan; however, only two – Oneonta
and Cobleskill – also had complete and updated Emergency Response Plans.

Division of State Government Accountability

15

 2017-S-51
New Paltz did not include a hazard analysis in its Emergency Response Plan, as required. A hazard
analysis identifies the likely hazards that could affect the campus in the event of an emergency,
and forms the basis for the entire emergency planning process.
Poly’s Emergency Response Plan was incomplete. The Police Chief, who was recently promoted
from the Utica campus and is responsible for developing the Emergency Response Plan, stated
it was about 85 percent complete. However, officials stated they have a separate plan in case of
emergency that does reference hazardous materials.

Hazardous Waste
SUNY officials have established adequate controls over, and complied with, hazardous waste
regulations to provide reasonable assurance that students and communities are safeguarded
against exposure from hazardous waste.
For all of the campuses visited, we generally found adequate records to support that hazardous
waste was stored and disposed of properly. All of the schools used private contractors permitted
in hazardous waste disposal to remove waste from the campus. We verified that DEC audited
each campus’ hazardous waste storage and disposal procedures. In all but one case, DEC had
audited the campus within three years.

Recommendations
To SUNY Administration:
1.  Provide guidance and support to campus officials in designing and implementing a system of
internal controls that provide reasonable safeguards against intentional or accidental misuse
of hazardous materials.
2.  Work with campuses to improve controls over access, procurement, or accounting for
hazardous materials as necessary to further reduce risks relating to controls over hazardous
materials.
To SUNY Institutions:
3.  Improve controls over access, procurement, or accounting for hazardous materials as
necessary to further reduce risks relating to hazardous materials. This may include (but not
be limited to):
• Assessing risks to access, procurement, and accounting of hazardous materials and
implementing controls to address them.
• Monitoring and enforcing compliance with already established procedures in the Chemical
Hygiene Plan, lease agreements, and other university policies.

Division of State Government Accountability

16

 2017-S-51

Audit Scope, Objective, and Methodology
This audit sought to determine if SUNY institutions have developed adequate controls to effectively
safeguard communities against hazardous materials and waste. This audit covered the period
from January 1, 2015 through May 4, 2018.
To accomplish our objective, we reviewed relevant laws and regulations and SUNY’s policies
related to hazardous materials and waste. We also became familiar with and assessed SUNY’s
internal controls as they related to our audit objective. The controls established by the various
SUNY schools varied greatly based upon the size of the school, uses of the hazardous materials,
and overall internal control environment of the school. Therefore, each school was evaluated
based upon the procedures they had in place while following the overall SUNY guidelines. We held
meetings with SUNY officials to gain an understanding of their oversight of hazardous materials
and waste. We performed site visits to seven SUNY schools (Buffalo, Stony Brook, Plattsburgh,
New Paltz, Oneonta, Polytechnic Institute, and Cobleskill). We judgmentally selected the schools
based on various factors, including student population, amount of waste generated, types of
degrees offered, and reports of non-compliance. We also assessed the data reliability of the
SUNY schools we visited and determined, in most instances, the information lacked sufficient
reliability. As such, we limited our use of the data contained within the systems. The data that
was provided to us contained information for hazardous material counts, procurement, and key
and card access between January 1, 2017 and January 26, 2018. In some instances, we used
the data we received from the systems to select samples for testing and to provide background
information. We verified this data against information contained in hard copy files and our own
physical observations of items. We used the hard copy information and our observations to form
the basis for our findings instead of the information in the systems.
We were not able to verify the accuracy and completeness of the amounts of hazardous materials
and waste in each laboratory because hazardous material inventory is updated throughout the
year and not maintained perpetually. Instead, we selected random and judgmental samples of
items recorded as being on hand and then verified that they were either present in the lab or had
been appropriately disposed of, even if the inventory list had not yet been updated at the time it
was provided to us. In total, we randomly selected 8 labs and judgmentally selected 51 labs based
on quantity of materials and waste, for a total of 59 labs. From those labs, we randomly selected
173 materials and judgmentally selected 587 materials based on the quantity of materials and
waste, for a total of 760 materials. The scope of our hazardous material testing was January
1, 2017 through January 18, 2018. Those judgmentally selected were chosen based on several
factors, including financial transactions, volume, and/or inventory availability. We used physical
observation to determine if the materials were accounted for.
We were not able to verify the accuracy and completeness of the amounts of keys and cards
because our testing indicated the data was not reliable. We judgmentally selected samples of
records to verify that access was appropriate. In total, we judgmentally selected 1,108 keys and
cards based on several factors, including number of keys assigned, title of employee, and audit
liaison assessment. The scope of our testing was January 1, 2017 through January 26, 2018.
Division of State Government Accountability

17

 2017-S-51
We were not able to verify the accuracy and completeness of the number of procurement
transactions because not all transactions were related to our scope and we could not verify
them against the inventory we tested because, as stated above, we were not able to verify the
accuracy or completeness of that data. We selected judgmental samples of materials recorded as
being purchased and then attempted to verify that they were either present in a lab or had been
appropriately disposed of, even though the inventory list had not yet been updated at the time it
was provided to us. We judgmentally selected the purchases based on various factors including
date of purchase and purchase description. The scope of our procurement testing was January 1,
2017 through January 18, 2018.
The results of our sampling work support the findings, conclusions, and recommendations in
this report. However, those results can’t be projected back to the entire population of hazardous
materials and waste.
As is our normal practice, we requested that SUNY officials provide us with a letter of representation
to affirm that they have made all relevant records and related data available for audit, and that they
have complied with all applicable laws, rules, and regulations or have disclosed any exceptions
and material irregularities to the auditors. The letter of representation is also intended to confirm
any significant oral representations made to the auditors and thereby reduce the likelihood of
misunderstandings. SUNY provided us with a representation letter dated May 10, 2018. However,
SUNY later provided a binder of documentation on July 26, 2018 in response to the draft report.
This documentation was all available to SUNY during the course of our audit. Therefore, we have
limited assurance all material information was provided to us during the course of our audit, as
SUNY officials attested to in their representation letter.
We conducted our performance audit in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and conclusions based on
our audit objective. We believe that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objective.
In addition to being the State Auditor, the Comptroller performs certain other constitutionally and
statutorily mandated duties as the chief fiscal officer of New York State. These include operating
the State’s accounting system; preparing the State’s financial statements; and approving State
contracts, refunds, and other payments. In addition, the Comptroller appoints members to
certain boards, commissions, and public authorities, some of whom have minority voting rights.
These duties may be considered management functions for purposes of evaluating organizational
independence under generally accepted government auditing standards. In our opinion, these
functions do not affect our ability to conduct independent audits of program performance.

Authority
The audit was performed pursuant to the State Comptroller’s authority as set forth in Article V,
Section 1 of the State Constitution and Article II, Section 8 of the State Finance Law.
Division of State Government Accountability

18

 2017-S-51

Reporting Requirements
We provided a draft copy of this report to SUNY officials for their review and formal written
comment. Their comments were considered in preparing this final report and are attached at the
end in their entirety. SUNY disagrees with many of the report’s findings and conclusions. Our
rejoinders to those comments are included in the report’s State Comptroller’s Comments, which
are embedded in SUNY’s response.
SUNY officials provided significant amounts of supplemental information to us after we presented
initial findings to them, and then again after the draft report was issued. Much of the supplemental
information could have been provided to the auditors during our site visits. We provided campus
officials numerous chances to provide supporting documentation for our findings and supplied
the campuses with guidance on what types of information they could provide as appropriate
evidence to satisfy our requirements. We are disappointed that much of this information was
only provided after the issuance of our draft report, and well after the corresponding events took
place. In addition, some of the information provided contradicts statements made by officials
during our site visits and follow-up meetings. When records are not contemporaneous with the
events in question, they are of limited evidentiary value. The timeline below depicts key events
in the audit process, including timing of SUNY responses to OSC preliminary reports, various
meetings held with the campuses regarding the findings, and the extended time period during
which our auditors considered information that SUNY provided.
March 2, 2018

May 4, 2018

April 6, 2018

Last date
Preliminary
Reports were
issued to SUNY

March 26, 2018

Meeting with
University Auditor
regarding Draft
Report

Information
received from
campuses from
2nd closings

Last date of
2nd Closing
Conferences
with campuses

Preliminary
Response
Received

July 20, 2018

Last date of 2nd
Closing Conference
with SUNY
Administration

May 1, 2018

Draft Report
issued

June 21, 2018

Binder of new
information from
various campuses
received

July 26, 2018

Within 90 days of the final release of this report, as required by Section 170 of the Executive
Law, the Chancellor of the State University of New York shall report to the Governor, the State
Comptroller, and the leaders of the Legislature and fiscal committees, advising what steps were
taken to implement the recommendations contained herein, and if the recommendations were
not implemented, the reasons why.

Division of State Government Accountability

19

 2017-S-51

Contributors to This Report
Brian Reilly, CFE, CGFM, Audit Director
Nadine Morrell, CIA, CISM, CGAP, Audit Manager
Heather Pratt, CFE, Audit Supervisor
Richard Podagrosi, Examiner-in-Charge
Chelsey Fiorini, Senior Examiner
W Sage Hopmeier, Senior Examiner
Zachary Schulman, Senior Examiner
Nicole Tommasone, Senior Examiner
Mary McCoy, Supervising Editor

Division of State Government Accountability
Andrew A. SanFilippo, Executive Deputy Comptroller
518-474-4593, asanfilippo@osc.ny.gov
Tina Kim, Deputy Comptroller
518-473-3596, tkim@osc.ny.gov
Ken Shulman, Assistant Comptroller
518-473-0324, kshulman@osc.ny.gov

Vision
A team of accountability experts respected for providing information that decision makers value.

Mission
To improve government operations by conducting independent audits, reviews, and evaluations
of New York State and New York City taxpayer-financed programs.

Division of State Government Accountability

20

 2017-S-51

Agency Comments and State Comptroller’s Comments

Division of State Government Accountability

21

 2017-S-51

efforts in this area and also support that SUNY has the necessary controls in place to safeguard
the Campus Community. SUNY commits significant resources, provides substantial
oversight, and takes numerous preemptive measures, including routine laboratory safety
training and emergency drill activities, to help ensure the health and safety of the Campus
Community. Examples of these measures include:
State Comptroller’s Comment – Auditors test not only the design of controls, but also their
implementation. We reviewed various aspects of the measures listed below and found, in
several areas, that although there may have been written procedures, they were not always
being followed. For example, we found improper storage of hazardous materials, including
those that were not locked up to prevent access, unsecured materials piled on carts being
eroded by exposure to the hazardous materials stored on them, and rooms left open—some
that even had signs stating to “keep door closed at all times.” (Note: We have photos providing
evidence of these issues. While they were not included in the draft, they are available for SUNY
officials’ review.)
1. SUNY employs numerous robust preventative measures which include: written procedures
for safely handling hazardous chemicals and materials, documented risk assessments,
general and specialized safety committees, safety training, proper labeling, chemical
segregation and storage, personal protective equipment (safety glasses and gloves, etc.),
specialized facilities (environmental chambers and ventilation, etc.), proper signage,
safety data sheets, among others.
2. Training in the use of hazardous materials for non-laboratory personnel is conducted in
compliance with Occupational Safety and Health Administration (OSHA) Hazard
Communication Standard. Laboratory personnel are trained in laboratory safety and local
procedures as required by the campus' written Chemical Hygiene Plan as part of
compliance with OSHA's Occupational Exposure to Hazardous Chemicals in
Laboratories. Additionally, personnel receive training in hazardous waste management and
the transportation of hazardous materials as required by the Environmental Protection
Agency, NYS Department of Environmental Conservation (DEC), and Department of
Transportation.
3. Hazardous materials are heavily regulated by many federal agencies including OSHA,
Environmental Protection Agency, Department of Transportation, Department of
Homeland Security (DHS), as well as State agencies such as the NYS Department of
Environmental Conservation, NYS Department of Health, and the NYS Department of
Labor. Many of these entities have multiple programs addressing various aspects of
chemical safety, all of which have associated risk assessments informing the scope and
details of the regulatory programs. SUNY campuses have extensive compliance
programs.
4. As a result of the highly regulated environment surrounding environmental health and
safety concerns, SUNY is routinely subject to numerous external audits, reviews and
inspections by a variety of external agencies such as, DEC, DHS and NYS Public
Employees Safety and Health Bureau. The University at Buffalo alone was subjected to

Division of State Government Accountability

22

 2017-S-51

over 1,400 regulatory inspection hours by external agencies in the last three years. For
example, the Department of Homeland Security conducted a limited inspection in July
2018 at University at Buffalo and identified no deficiencies with the campus' compliance
program for Chemical Facility Anti- terrorism Standards (CFATS).
State Comptroller’s Comment - As noted in the report, we could not determine, nor could
officials provide, assurance that Buffalo’s storage of hazardous materials did not exceed CFATS’
established thresholds at the time of our visit. Further, we were not provided any information
or documentation of this July 2018 review by the Department of Homeland Security, as it
occurred after the scope of our audit and during the time period this draft response was being
prepared. Therefore, we cannot determine if this limited inspection addressed the issues
already identified in our audit report relating to Buffalo’s reporting under CFATS.
5. The campuses employ Environmental Health & Safety (EH&S) professionals who assist
with prevention of and response to chemical, biological, radiological, and other hazardous
materials incidents at the campuses. The EH&S offices serve as technical resources and
provide tools, training, and communication for the campuses on best practices and
compliance issues (including compliance with SUNY requirements, and local, State, and
federal level regulations for environmental management and occupational safety and
health). The EH&S Office at System Administration supports these efforts.
State Comptroller’s Comment - While EH&S staff provide guidance on specific State and
federal regulations and specific SUNY administrative policies, we found the unit staff provide
little guidance on areas not covered under regulations. For example, EH&S does not provide
guidance on access to or inventory controls over hazardous materials. EH&S officials
specifically stated they do not do this, as there are no State or federal regulations for access or
inventory controls.
6. SUNY employs numerous mitigation and response programs which include:
•

Emergency Response Plans (ERP) are developed which outline how each campus
intends to prepare for, prevent, respond to, and recover from emergencies including
those that involve hazardous materials and waste that occur on campus or affect the
campus. Each ERP is tailored to address the specific needs of that campus.

State Comptroller’s Comment - We reviewed Emergency Response Plans at each campus
visited. We found that not all of the plans were complete or up to date, as documented
throughout the report.
•

Appropriate campus faculty and staff receive training in the Incident Command
System (ICS) and National Incident Management System (NIMS) that corresponds
with their identified roles and responsibilities in an emergency. These comprehensive
systems are a national approach to incident management that is applicable at all
jurisdictional levels and across functional disciplines to address a full spectrum of
potential incidents, hazards, and impacts.

Division of State Government Accountability

23

 2017-S-51

•

Emergency response drills and training exercises using the concepts of ICS/NIMS are
conducted regularly to exercise the emergency operations centers and enhance the
coordination, training, and response capabilities of campus personnel internally, as
well as with local emergency response agencies. Additionally emergency evacuations
are practiced regularly in compliance with the NYS Fire Code and NYS Education
Law.

•

SUNY State University Police is a fully empowered State law enforcement agency.
SUNY's State operated campuses employ fully sworn police officers in each of their
police departments. These professionals are fully trained officers who staff their
departments on a 24/7 hour basis consistent to manage the activities of a college
campus. Training includes community emergency response, CPR/AED/ First Aid,
emergency deployment, safety, bomb incidents, etc. SUNY police officers are on site
and very knowledgeable about the footprint and layout of their campus, which
enhances their ability to respond to any emergency or need. SUNY police
departments also include inspectors who are trained to investigate crimes and other
matters affecting the safety and security of their campus. In addition, SUNY partners
with DHS, Federal Bureau of Investigation, and others, as necessary.

State Comptroller’s Comment - We spoke with University police officers at three campuses.
These officers identified and corroborated some of the risks found as part of our audit. For
example, one officer noted that the return of keys is not a priority. At another campus, officers
noted a lack of administrative support related to the implementation of tighter access controls.
•

To support all of the above, SUNY utilizes emergency response equipment, fire
protection systems, mass communication systems, and strong building and fire code
enforcement programs supplemented by annual third party inspections. Some
campuses employ 24/7 fire marshal services and NYS Type 2 Hazmat teams who have
the ability to use advanced equipment to detect the presence of known or unknown
gases, vapors, chemicals, and other substances and have a cache of equipment to
conduct leak intervention, plugging, patching, chemical neutralization, and
decontamination.

II. Audit Results and Conclusions
SUNY recognizes that audits often provide opportunities for enhancement and improvement
of processes and procedures. The Campuses gained some valuable insight and noted
opportunities for enhancement such as maintaining documentation supporting proper access
controls. However, after several discussions with OSC and careful consideration of the audit
report, SUNY disagrees with many of the report's findings and conclusions. The following
represent a few areas of disagreement:
1. SUNY does not concur with the audit testing methodology which required finding every
chemical including other non-hazardous materials, such as sand, on a list of chemicals for
a specific laboratory since these lists are updated on a periodic and not perpetual basis. In

Division of State Government Accountability

24

 2017-S-51

general, most campus Chemical Hygiene Plans will require that when a new chemical is
introduced to a laboratory it be added to the list of chemicals used in that laboratory and
the OSHA compliant Safety Data Sheets (SDS) should also be available in the laboratory.
Over time, chemicals may be fully used, returned to a storage room, or transferred to
another laboratory. Looking for chemicals from a list which is updated periodically is not
an effective audit test since it is unlikely all chemicals will be found. If the purpose was to
support conclusions regarding the Campus' ability to safeguard the Campus Community,
then the auditors should have selected a sample of chemicals present in a laboratory,
tested that the applicable SDS were present, and that the chemicals were properly stored
and labeled.

State Comptroller’s Comment - SUNY’s characterization of our testing methodology is
incorrect. Our testing methodology was determined by the requirements of each campus’ own
Chemical Hygiene Plan, which SUNY EH&S requires and each campus designs to meet its own
needs. Additionally, the Chemical Hygiene Plans have many requirements; the focus of our
testing was the inventory requirements outlined in the various Plans. We used the inventories
provided by SUNY officials and conducted our testing based on those, not the Safety Data
Sheets.
2. SUNY does not concur with the audits insistence that all chemicals go through a central
receiving area. In many cases, delivery of chemicals directly to the laboratories is a safer
method as the chemicals will be received by trained staff and are often delivered by
shipping carriers also trained in handling hazardous materials. Delivering directly to the
laboratories means chemicals will be handled by fewer intermediaries and can be properly
secured and stored promptly. This enhances safety, rather than reducing it.

State Comptroller’s Comment - Auditors did not insist, nor does the report recommend, that
hazardous materials go through a central receiving area. Rather, it recommends that controls
over procurement be improved and that risks be assessed and controls be implemented as
necessary to address such risks. For instance, one risk the audit identified is that purchasing
staff on site stated that purchases can go to any location, including an office or an individual’s
home, where these materials would not be safeguarded from improper handling. We refer to
central receiving only as it relates to other procurement weaknesses.
3. The audit suggests that a campus' inability to track chemical purchases by laboratory is a
shortcoming. SUNY disagrees with this assessment and notes that chemicals may be
purchased and used in multiple laboratory areas and not attributed to one specific
laboratory location. Collaboration among laboratories is the hallmark of a vital research
community, and reflects efficiencies in purchasing. There is no known requirement that the
procurement system must track chemical purchases by laboratory. Additionally, the
auditors tried to reconcile purchasing records to chemical inventory supplies, a traditional
financial inventory accounting process. This audit method does not measure the adequacy
of SUNY's controls for safeguarding Campus Communities.

State Comptroller’s Comment - We did not state that material purchases needed to be

Division of State Government Accountability

25

 2017-S-51

tracked by laboratory. Auditors attempted to use purchasing records in instances where
campuses did not maintain inventories in accordance with their Chemical Hygiene Plans.
Limitations of the procurement system were only disclosed to explain why this testing was not
feasible. As noted in the first State Comptroller’s Comment on page 25, we used inventories
maintained by the campuses for our reconciliations.
4. The audit fails to note that the procurements made through Buffalo's e-requisition system
require a secondary review and approval at the department level. This is an appropriate
control since the department representatives would have the requisite knowledge to
determine the appropriateness of the business justification.

State Comptroller’s Comment - As noted in our report, Buffalo procurement officials
stated that no additional controls have been established to mitigate risk, such as requiring
business justifications or pre-approvals for purchases of hazardous materials. Officials
stated procurement does not have the knowledge to determine business justifications.
After our site visit and after the draft report was issued, SUNY provided documentation to
support Buffalo’s use of business justifications for hazardous materials purchases.
However, SUNY provided only a copy of the University policy (which was requested on site
and not provided until the response to the draft was being processed) and a screenshot of
the e-requisition dropdown menu for a business justification. Neither the policy nor the
screenshot supported that this function was actually used for hazardous material
purchases. Therefore, while this may be a function of the system, based on comments
from procurement officials and a lack of additional support, we cannot conclude business
justifications are routinely used for hazardous material purchases.
5. OSC tested two separate access control aspects: (1) security of the doors for rooms
potentially containing hazardous chemicals and (2) documentation related to granting
access to areas containing hazardous chemical materials. While SUNY generally agrees
there are opportunities to improve maintaining documentation related to granting access,
it is disappointing that the audit did not report that for most campuses, laboratory doors
were found to be appropriately secured. In fact, the auditors found all laboratory doors at
University at Buffalo were properly secured.

State Comptroller’s Comment - SUNY’s characterization of our testing methodology is, once
again, incorrect. We tested not only physical access and authorization, but also whether the
campuses tracked what keys were issued and to whom. As access controls are interrelated,
deficiencies in one area adversely diminish properly functioning controls in other areas.
Specifically, Buffalo officials could not trace or determine how many keys were issued for rooms
containing hazardous materials or who possessed said keys. With key access available to an
undetermined number of labs and to an unknown number of persons, the fact that all the
doors were found to be locked does not mitigate the risk of access from unauthorized
individuals to hazardous materials. Our report also notes that we found access controls as a
whole to be adequate at both SUNY Cobleskill and SUNY Poly.

Division of State Government Accountability

26

 2017-S-51

6. We are disappointed that the audit continues to voice concerns regarding Buffalo's
compliance with CFATS given that the campus worked closely with the Department of
Homeland Security (DHS) who promulgated and enforces the regulations. DHS assisted
in the refinement of the campus program to develop adequate controls. DHS has been
satisfied with the Buffalo's program, as was noted in correspondence from DHS provided
to the auditors. Furthermore, as previously noted within our response, DHS conducted a
limited inspection in July 2018 and identified no deficiencies with the campus'
compliance program for CFATS.

State Comptroller’s Comment - As noted in the report, we could not determine, nor could
officials provide, assurance that Buffalo’s storage of hazardous materials did not exceed CFATS’
established thresholds at the time of our visit. Further, we were not provided with any
information or documentation of this July 2018 review by the Department of Homeland
Security, as it occurred after the scope of our audit and while this draft response was being
prepared. Therefore, we cannot determine if this limited inspection addressed the issues
already identified in our audit report relating to Buffalo’s reporting under CFATS.
7. SUNY disagrees with the misleading characterization of leased space inspections at
Buffalo. In response to OSC's concerns regarding leased spaces, the Campus indicated
that inspections of leased spaces were conducted and the inspections included reviewing
the type of chemicals in use within the space. The auditors were provided with an
example inspection summary report document associated with the inspection for the one
leased location. The auditors were also provided with an example of the handwritten notes
documented at the time of the inspection matching the summary report for the leased space.
The handwritten inspection notes identified the date and room location of the inspection.
While handwritten, these represent contemporaneous and accurate records of the
inspections, and while additional documentation was offered, none was requested.

State Comptroller’s Comment - During the audit, we received conflicting information from
Buffalo officials regarding the leased space. For example, officials stated they could not obtain
inventories from lessees as that information is proprietary, even though the lease specifically
requires inventories. This is the same official who, per SUNY Buffalo’s documentation,
conducted the inspections. Also, SUNY did not provide a completed inspection report for its
leased space—a blank copy of the standard inspection checklist was provided, accompanied by
a handwritten note listing three room numbers. After reviewing the blank inspection checklist
document, we found that, for the 15 areas that would be covered under the review, only 2
addressed hazardous chemicals, and those sections did not call on the inspectors to specifically
inventory or review hazardous chemicals. Also, we were not provided with any policy or
procedure on how frequently these inspections occur.
It should be noted that inspections of leased space were not incorporated in the procedures
SUNY stated they followed to determine compliance under CFATS, dating back to 2008 when
they were first required to report. Moreover, this information was not provided until after our
draft report was issued and after we spoke with both Buffalo and SUNY officials several times
regarding our concerns. When we reported on the various control weaknesses to Buffalo

Division of State Government Accountability

27

 2017-S-51

officials, they were not open and responsive to the issues we raised. Although it is not standard
practice to accept additional documentation after the draft report is issued, SUNY officials
requested we take additional support, which had not been provided previously, into
consideration. We agreed, and requested that officials include everything they wished us to
consider in preparing the final report. The aforementioned documentation was all that was
offered and provided.
In response to the recommendations, SUNY System Administration will continue to provide
guidance and support to the campuses regarding risks related to hazardous materials and waste
and compliance with the numerous regulations to which SUNY is subject. As there is no higher
priority than the Safety of our Campus Community, the campuses will also continue to identify
and assess the risks associated with hazardous materials and waste, design effective controls to
mitigate those risks, and proactively prepare for emergencies, and balance those needs with
the need for appropriate documentation and controls on purchasing systems.

Copy: Chancellor Johnson, Ms. Bee-Donohoe, Ms. Boyle, Ms. Garvey, Mr. Haelen, Mr.
Megna, Ms. Montalbano, Mr. Dermody/Plattsburgh, Mr. Diamond/SUNY Poly, Mr.
Kaczmarczyk/Stony Brook, Ms. Kearney-Saylor/University at Buffalo, Ms. Majak/New
Paltz, Mr. Panico/Stony Brook, Mr. Squair/Oneonta, Ms. Morrell/OSC, Ms. Pratt/OSC

Division of State Government Accountability

28