REPORT DIGEST

 

DEPARTMENT OF CENTRAL MANAGEMENT SERVICES

 

FINANCIAL AUDIT AND COMPLIANCE EXAMINATION

For the Year Ended: June 30, 2009

 

Summary of Findings:

Total this audit:  19

Total last audit:  24

Repeated from last audit:  18

 

Release Date: April 13, 2010

 

State of Illinois, Office of the Auditor General

WILLIAM G. HOLLAND, AUDITOR GENERAL

 

To obtain a copy of the Report contact:

Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703

(217) 782-6046 or TTY (888) 261-2887

 

This Report Digest and Full Report are also available on the worldwide web at http://www.auditor.illinois.gov

 

 

SYNOPSIS

 

           The Department’s year-end financial reporting to the Office of the State Comptroller contained significant errors.

 

           The Department generated excess retained earnings balances for the Communications Revolving Fund and failed to make adequate adjustments as required by OMB Circular A-87.

 

           The Department recognized costs for federal reporting purposes different than reported in the Department’s financial statements, and unallowable costs were reported for federal purposes.

 

           The Department did not maintain complete, accurate, or detailed records to substantiate its current midrange computer systems and equipment.

 

           The Department is not actively managing its leased space or occupancy, nor bidding and renewing, or consolidating its existing leases.

 

           The Department filed emergency purchase affidavits for purchases which were not emergencies.

 

           The Department’s Illinois Office of Internal Audit did not comply with the Fiscal Control and Internal Auditing Act that requires audits of major systems of internal accounting and administrative control.

 

 

INTRODUCTION

 

            Our audit of the Department of Central Management Services is a Financial Audit and Compliance Examination for the year ended June 30, 2009.  This report contains Government Auditing Standards findings and State Compliance findings. 

 

 

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

 

WEAKNESSES IN INTERNAL CONTROL OVER FINANCIAL REPORTING

 

            The Department’s year-end financial reporting in accordance with generally accepted accounting principles (GAAP) to the Office of the State Comptroller contained significant errors in the determination of certain year-end assets and liabilities.

 

During the audit of the June 30, 2009 financial statements and testing of workers’ compensation liability and automobile liability information, the auditors noted material weaknesses and significant deficiencies resulting from the Department’s failure to establish adequate internal control over the accumulation of information necessary for the proper determination of year-end liabilities as follows:

 

           The Department is responsible for administering the State’s workers compensation program and reporting estimated liabilities for amounts to be paid to injured employees or beneficiaries in future years relating to injuries already suffered.  This liability was previously calculated based on historical data projected out to payments expected to be made in the succeeding five fiscal years.  This calculation did not adequately recognize a liability for payments on two types of awards, pension and death benefit, that provide benefits for indefinite periods of time (Lifetime Awards) to be made beyond the succeeding five fiscal years.  During fiscal year 2009, the Department corrected the calculation and utilized life expectancies on a benefit specific basis and determined the liability at June 30, 2008 was understated by $101 million in the General Revenue Fund and $24 million in the Road Fund.  The beginning fund balances of these major funds were restated to correct the $125 million understatement.

 

           During testing of the workers compensation liability, the auditors noted an error in the calculation resulting in an overstatement of $3.916 million in the General Revenue Fund and $918 thousand in the Road Fund.  The fiscal year 2009 financial statements were adjusted to correct the $4.834 million overstatement.

 

           The Department is responsible for reporting liabilities arising from accidents involving State employees.  While testing large (>$25,000) Automobile Liability reserves at June 30, 2009, the auditors noted a portion of a claim had been settled during the fiscal year leaving an estimated liability of approximately $50,000.  This outstanding claim was improperly excluded from the calculation of large Automobile Liability reserve for the Road Fund. 

 

           During testing, the auditors noted several other errors in the preparation of the Department’s internal service fund financial statements.  The errors included improperly calculating the amount reported as “invested in capital assets, net of related debt,” overstating installment purchase liabilities due to a data entry error, and other misstatements of receivables, payables and capital assets.  The errors noted were not individually significant to the financial statements taken as a whole, however, the Department did not have effective controls over the reconciliation and review functions to ensure amounts were properly reported at June 30, 2009.  (Finding 1, pages 15-17 of the Compliance Report)  This finding was first reported in 2007.

 

We recommended the Department implement procedures to ensure GAAP Reporting Packages are prepared in a complete and accurate manner and information provided to other agencies and the Office of the State Comptroller for financial reporting purposes is complete and accurate.

 

Department officials concurred with our recommendation and stated that the Workers Compensation liability calculation was revised in the current year to include full liability for lifetime awards.  The new calculation contained a duplicate line creating an overstatement of the liability.  The Department is also implementing an end-of-year review process for auto liability claims which will reduce the chance for error in estimating claim liabilities.  Further, all financial reports will be more closely reviewed before transmission to the Office of the Comptroller so that adjustments are correct and amounts are recognized in the appropriate fiscal year for financial reporting.  (For previous agency response, see digest footnote #1.)

 

 

EXCESS RETAINED EARNINGS BALANCES REPRESENTING NONCOMPLIANCE WITH FEDERAL REGULATIONS

 

The Department generated excess retained earnings balances for the Communications Revolving Fund and failed to make adequate adjustments as required by OMB Circular A-87.

 

The Department’s internal service funds receive revenue from charges for services provided to various federal grants of the State.  OMB Circular A-87 allows internal service funds to maintain reasonable working capital reserves (up to 60 days cash expenses) for normal operating purposes.  However, the Communications Revolving Fund (CRF) administered by the Department maintained retained earnings balances in excess of the allowable working capital reserve.

 

Consequently, a payback representing the federal share of excess retained earnings balances for fiscal years 2006 and 2007 is required from the CRF and the Department believes that it is probable that a payback will be required from this fund for fiscal years 2008 and 2009.  The CRF liability for fiscal years 2006 and 2007 is approximately $2.445 million.  It is estimated that the CRF liability for fiscal years 2008 and 2009 is approximately $2.653 million.  Total liabilities recognized at June 30, 2009, representing the federal share of excess retained earnings balances, are reported to be $5.098 million for the CRF.

 

Furthermore, Circular A-87 stipulates “A comparison of the revenue generated by each billed service (including total revenues whether or not billed or collected) to the actual allowable cost of the service will be made at least annually, and an adjustment will be made for the difference between the revenue and the allowable costs.”  The Department performs the annual comparison; however, the adjustments required by Circular A-87 are not made on a timely basis.  As a result, the CRF continued to accumulate excess retained earnings balances.  (Finding 2, pages 18-19 in the Compliance Report)  This finding was first reported in 2006.

 

We recommended the Department comply with the provisions of OMB Circular A-87 by making adequate adjustments for excess retained earnings balances in internal service funds for each billed service using an acceptable method.

 

Department officials stated that they believe that its excess balance adjustment practices are compliant with OMB Circular A-87 guidelines.  Negotiated settlements are an acceptable method of adjustment.  The large accumulated outstanding balances for FY06-FY08 will be settled with the federal department of HHS in April 2010.  In addition, the Department has significantly reduced its exposure to new excess balances through aggressive rates realignments.  (For previous agency response, see digest footnote #2.)

 

 

NEED TO REPORT COSTS IN ACCORDANCE WITH FEDERAL REGULATIONS

 

The Department recognized costs for federal reporting purposes different than reported in the Department’s financial statements prepared in accordance with generally accepted accounting principles (GAAP), and unallowable costs were reported for federal purposes.

 

Specifically, we noted the following during our review of the fiscal year 2008 reconciliations that were completed by the Department during the audit period (in March 2009) for the Statistical Services Revolving Fund (SSRF), Communications Revolving Fund (CRF), and the Facilities Management Revolving Fund (FMRF):

 

           Expenses in the SSRF totaling $2,566,000 were properly accrued and reported in the fiscal year 2008 GAAP basis financial statements but were not accrued for federal purposes in fiscal year 2008.

 

           Expenses in the FMRF totaling $437,000 were properly accrued and reported in the fiscal year 2008 GAAP basis financial statements but were not accrued for federal purposes in fiscal year 2008.

 

           Equipment totaling $4,140,000 purchased in the CRF during the fiscal year 2008 lapse period was reported as 2008 expenses for federal purposes but was capitalized in the fiscal year 2009 GAAP basis financial statements.

 

           Equipment totaling $1,453,000 purchased in the SSRF during the fiscal year 2008 lapse period was reported as 2008 expenses for federal purposes but was capitalized in the fiscal year 2009 GAAP basis financial statements.

 

           Depreciation expense in the SSRF reported in 2008 for federal purposes was $519,000 less than reported in the 2008 GAAP basis financial statements.

 

           Depreciation expense in the CRF reported in 2008 for federal purposes was $1,537,000 less than reported in the 2008 GAAP basis financial statements.

 

           An increase in compensated absence liability in the SSRF totaling $196,000 was reported as 2008 expenses for the GAAP basis financial statements but was not accrued for federal purposes in fiscal year 2008.

 

           An increase in compensated absence liability in the CRF totaling $76,000 was reported as 2008 expenses for the GAAP basis financial statements but was not accrued for federal purposes in fiscal year 2008.

 

           An increase in compensated absence liability in the FMRF totaling $217,000 was reported as 2008 expenses for the GAAP basis financial statements but was not accrued for federal purposes in fiscal year 2008.

 

A number of the differences cited above represent timing differences and, over a period of two fiscal years the over and under statements will offset one another.  However, as the determination of excess retained earnings balances is required to be performed annually, reporting such revenues and expenses in the wrong period could significantly alter the results of the calculation of excess balances.  (Finding 3, pages 20-21 in the Compliance Report)  This finding was first reported in 2007.

 

We recommended the Department comply with the provisions of OMB Circular A-87 by reporting revenues and expenses in accordance with generally accepted accounting principles for federal purposes.

 

Department officials concurred with our recommendation and stated that they continue to adjust its accounting practices to reduce reconciling items.  (For previous agency response, see digest footnote #3.)

 

 

INCOMPLETE AND INACCURATE RECORDS OVER COMPUTER SYSTEMS AND EQUIPMENT

 

The Department did not maintain complete, accurate, or detailed records to substantiate its current midrange computer systems and equipment. 

 

20 ILCS 405/405-410, effective January 15, 2005, authorized the Department to consolidate Information Technology functions of State government. 

 

Although the consolidation was authorized in January 2005, the Department still did not maintain adequate records over the midrange environment.  Specifically, during the review of approximately 1,300 servers, the auditors noted 160 (12.3%) were not included in the Department listing.  Due to the lack of complete and accurate information, the auditors were unable to conduct detailed testing.  (Finding 5, pages 24-25 in the Compliance Report)  This finding was first reported in 2007.

 

We recommended the Department ensure complete, accurate and detailed records are available to substantiate its midrange computer systems and equipment.  

 

Department officials concurred with our recommendation and stated that many of the issues described are related to legacy environments, and these environments did not have adequate controls in place prior to moving the servers to the data center.  Based on reviews of legacy agencies’ prior audit reports, it is evident that these systems were not being effectively managed prior to their move and were at serious risk from an environmental and security perspective.  The Department is currently pursuing the initiation of a project for a Configuration Management database to replace the Technical Validation database, which represents all DCMS managed IT processing equipment.  The Department is also reconciling its databases against the legacy Agency inventory systems to improve data integrity.  (For previous agency response, see digest footnote #4.)

 

 

LEASES IN HOLDOVER STATUS

 

The Department is not actively managing its leased space or occupancy, nor bidding and renewing, or consolidating its existing leases resulting in a substantial number of leases that have not been timely renewed or terminated.  The Department has procured 525 property leases.

 

Department records indicate that as of June 30, 2009, 116 of the 525 (22%) leases were in holdover status.  Leases in holdover status represent leases for which the contractual term of the lease has expired but the State continues to occupy space in the building and pay on a month-to-month basis under the previous terms of the lease.  Many of these leases have been in this status for over 5 years.  The Department has not assessed effective utilization of the space and has not negotiated terms that may be more favorable to the State.  (Finding 17, pages 43-44 in the Compliance Report)

 

We recommended the Department continue efforts in reducing the number of leases in holdover status.

 

Department officials concurred with our recommendation and stated that they are committed to eliminating holdover leases in accordance with the requirements of PA 96-0795.  The Department fully anticipate that they will be in compliance with the holdover lease provisions of the Act by its effective date.  Further, the Department stated that they continue to utilize a wide variety of space management strategies and tools to determine the most cost effective alternatives not only for agencies occupying holdover lease facilities, but for all leased properties under the Department’s purview.

 

 

AVOIDABLE USE OF EMERGENCY CONTRACTS

 

The Department filed emergency purchase affidavits for purchases which were not emergencies, in violation of the Illinois Procurement Code.

 

During our testing of emergency purchase affidavits, we noted four affidavits were filed to renew cellular services for various regions of the State while waiting to procure a State-wide master contract for cellular services.  Throughout the State of Illinois, there are seven service regions for cellular/wireless services.  These service regions are serviced by three separate vendors.  The contracts with these vendors have been procured by emergency purchase annually since September 2005.  During fiscal year 2009, all seven service region’s contracts were extended for a nine month period of January 1, 2009 to September 30, 2009.  Also, push-to-talk services were under contract with a fourth vendor whose services were extended through emergency purchase for the same nine month period as above.

 

In addition, we noted one affidavit was filed to extend telecommunications network services for the State for a twelve month period from December 15, 2008 to December 14, 2009.  The total estimated expenditures for the extension period were approximately $35.6 million.  The original contract, including allowable renewal periods, expired on September 30, 2008.  The Illinois Administrative Code (44 Ill. Adm. Code 1.2005(l)) allows for the extension of an indefinite quantity contract for a period of 90 days.  The network services contract was extended beyond September 30, 2008 date for 90 days with a new contract end date of December 14, 2008.  An additional twelve month extension was then procured through the emergency purchase method to allow for continued services while a request for proposal was conducted to establish a replacement contract.  (Finding 18, pages 45-46 in the Compliance Report)

           

We recommended the Department follow the Illinois Procurement Code and use the emergency provisions of the Illinois Procurement Code only in true emergencies and not due to inadequate planning.

 

Department officials concurred with our recommendation and stated that the two contracts in question will be awarded and implemented in FY10.  In addition, the Department has taken steps to minimize the use of emergency contract extensions by proactively managing complex procurements earlier in the procurement cycle.

 

 

INADEQUATE DOCUMENTATION OF COMPLIANCE WITH THE FISCAL CONTROL AND INTERNAL AUDITING ACT

 

The Department’s Illinois Office of Internal Audit (IOIA) did not comply with the Fiscal Control and Internal Auditing Act that requires audits of major systems of internal accounting and administrative control.

 

The Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing (IIA Standards) require the IOIA to develop risk-based plans to determine the priorities of the internal audit activities while the Fiscal Control and Internal Auditing Act (Act) (30 ILCS 10/2003) establishes specific mandates regarding internal audit requirements at Illinois State agencies.

 

The Act requires the internal auditing program to include audits of major systems of internal accounting and administrative control be conducted on a periodic basis so that all major systems are reviewed at least once every two years.  IOIA made improvements in the number of audits performed during fiscal years 2008 and 2009.  However, we noted IOIA did not ensure that audits of major systems were being completed once every two years as required by the Act as follows.

 

           The fiscal year 2009 IOIA audit plan identified 139 high risk audits that needed to be performed.  IOIA postponed or cancelled 72 high risk audits (52%).  As a result, IOIA did not complete approximately 13,000 of 28,000 (46%) budgeted hours of planned high risk audits.  IOIA representatives indicated this was a result of overages from audits completed or in draft report stage and the redistribution of resources to begin preliminary risk assessments relating to agencies for the American Recovery and Reinvestment Act (ARRA).  Furthermore, the Department, through the IOIA, issued a Request for Proposal (RFP) to procure 3,000 hours of internal audit assistance for ARRA risk assessment at various state agencies.  The redistribution of resources was not in response to a change in assessed risk for the audits which were considered high risk in the plan.  There were no policies identifying what the minimum criteria would have been to meet FCIAA requirements if the audit plan was not met for each of the FCIAA areas.  In addition, IOIA did not document their change in risk assessment for a particular audit if they focused on another area of FCIAA.

 

           IOIA could not demonstrate that they were addressing the additional risks associated with the agencies which had a greater impact on one of the eleven major transaction/event cycles in accordance with Statewide Accounting Management System (Procedure 02.50.20).  Internal audits were completed in the eleven major transaction/event cycles set forth in the SAMS (Procedure 02.50.20); however, the extent of testing performed in four of the cycles did not provide coverage commensurate with assessed risk on a state-wide basis.  For each major cycle noted, IOIA excluded key agencies from the audits performed even though the excluded agencies have significant responsibilities within the cycles.  (Finding 19, pages 47-48 in the Compliance Report)  This finding was first reported in 2006.

 

We recommended the Department ensure that audits of all major systems of internal accounting and administrative control are conducted at least once every two years as required by the Fiscal Control and Internal Auditing Act.  We further recommended the Department improve documentation of the risk assessment process to more clearly associate the internal audit effort with identified/assessed risks.

 

Department officials stated that annually IOIA identifies major FCIAA categories for the 38 agencies it audits.  A risk assessment in accordance with the Institute of Internal Audit standards to determine audit coverage for the year, track FCIAA coverage for all audits performed and monitor status continually throughout the year. Changes to the annual audit plan are documented using an “Audit Change Form” or an “Add Audit or Activity to Plan Form”. A major consideration specific to the FY09 plan was the American Recovery and Reinvestment Act (ARRA). A considerable amount of time was necessary to research and determine the impact to the State of Illinois. In FY10, ARRA is a component in the annual audit plan.  We will continue to assess our operations and implement improvements as needed.  (For previous agency response, see digest footnote #5.)

 

 

OTHER FINDINGS

 

The remaining findings are reportedly being given attention by the Department.  We will review the Department’s progress toward the implementation of all our recommendations in our next engagement.

 

 

AUDITORS’ OPINION

 

Our auditors stated the Department’s financial statements as of and for the year ended June 30, 2008 are fairly presented in all material respects.

 

 

WILLIAM G. HOLLAND, Auditor General

WGH:TLD:pp

 

 

SPECIAL ASSISTANT AUDITORS

 

Sikich LLP was our special assistant auditor for this engagement.

 

 

DIGEST FOOTNOTES

 

#1 – WEAKNESSES IN INTERNAL CONTROL OVER FINANCIAL REPORTING

 

2008:   Agreed.  The Department concurs and agrees that the effects of these financial statement classifications were immaterial.  GAAP reporting requirements have been communicated to staff and steps have been taken to identify and properly record these transactions.  CMS uses the Auto Liability System (ALS) for documentation purposes and support for the Auto Liability Reserves and does not rely on printed copies in the hard copy claim files.  The Department prefers this method as any unit employee may access the same consistent documentation in the on-line system.  CMS will continue to print out all ALS notes once the claim file is closed.  The reporting criteria used to identify large auto liability claims has been changed to include those files in which payments have been made from multiple funds, thereby eliminating the possibility that these amounts would be included in both the large and routine claim calculations.  CMS has developed a workers’ compensation liability model using life expectancies obtained from the Centers for Disease Control (CDC) Table 1 (All American Table).  The new methodology is in compliance with federal DHHS policy, issued by May 20, 2008 memorandum.  Future workers’ compensation liabilities will be projected including Lifetime Awards beyond five years.  The Department’s fixed asset reconciliation process has been reviewed and procedures identified to ensure proper GAAP reporting treatment of equipment purchases.

 

#2 – EXCESS RETAINED EARNINGS BALANCES REPRESENTING NONCOMPLIANCE WITH FEDERAL REGULATIONS

 

2008:   Agreed.  The Department concurs with the recommendation.  The existence of an excess balance alone is not a violation of A-87.  The federal requirement is that excess balances be remedied through the four methods mentioned above.  The Department contends that its adjustment methods are acceptable.  The Department does agree that adjustments should be timely.  DCMS continues to adjust rates annually (c) and adjust central service cost allocations annually (d) to reduce exposure to excess balances.  However, these annual adjustments cannot guarantee that excess balances will be entirely eliminated, since rates and costs are projections and are usage-sensitive.  Billing credits (b), like cash refunds, take multiple years to apply, so the adjustment occurs no faster than a negotiated payback and requires significantly more up-front cash which the state does not have.  Therefore, direct negotiated paybacks (a) have always been, and will likely always be, a part of the remedy for excess balances.  The timeliness of direct paybacks is dependent on the federal review cycle.  The federal Dept of HHS includes imputed interest in the payback calculations in recognition of, and as compensation for, any delay in remedying the excess balances.

 

#3 – REPORTING OF COSTS NOT IN ACCORDANCE WITH FEDERAL REGULATIONS

 

2008:   Agreed.  The Department concurs.  We have developed a more clear presentation of the reconciliation process for fiscal year 2008, and we are adjusting our practices where feasible to reduce the total number of reconciling items.

 

#4 – INCOMPLETE AND INACCURATE RECORDS OVER COMPUTER SYSTEMS AND EQUIPMENT

 

2008:   Agreed.  The Department concurs.  Many of the issues described are related to legacy environments, and these environments did not have adequate controls in place prior to moving the servers to the data center.  Based on reviews of legacy agencies’ prior audit reports, it is evident that these systems were not being effectively managed prior to their move and were at serious risk from an environmental and security perspective.  The Department is currently pursuing the initiation of a project for a Configuration Management database to replace the Technical Validation database, which represents all DCMS managed IT processing equipment.  The Department is also reconciling its databases against the legacy Agency inventory systems to improve data integrity.

 

#5 - INADEQUATE DOCUMENTATION OF COMPLIANCE WITH THE FISCAL CONTROL AND INTERNAL AUDITING ACT

 

2008:   Agreed.  IOIA identifies major FCIAA categories at each of the 38 agencies it audits.  We consider and track FCIAA coverage in all audits performed.  We do an annual risk assessment in accordance with IIA Standards at all agencies subject to audit by IOIA.  From the risk assessment and additional input from agency management, we prepare an audit plan that is reviewed and approved by the Governor’s Audit Committee.  We monitor the status of all planned audits throughout the year.  We amend our plan as necessary to respond to agency requests, changes in the organization’s environment, audit priorities and the allocation of scarce resources.  Any changes to the audit plan are documented on change forms approved by the Chief Internal Auditor.  The planning and coverage processes were reviewed and approved by independent auditors who performed an external assessment peer review of IOIA in 2008.  The State Internal Audit Advisory Board (SIAAB) approved the independent auditors who conducted the peer review.  SIAAB also reviewed and approved the peer review results.  We have made significant improvements to our process, but we acknowledge that no process is perfect, so we will continue to assess our operations and implement improvements as needed.