REPORT DIGEST
DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
FINANCIAL AUDIT
For the Year Ended: June 30, 2010
Summary of Findings:
Total this audit: 3
Total last audit: 5
Repeated from last audit: 3
Release Date: April 7, 2011
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
____________________________
INTRODUCTION
This report covers our financial audit of the Department of
Central Management Services for the year ended June 30, 2010. A State compliance examination covering the
two years ended June 30, 2011 will be performed next year.
SYNOPSIS
• The Department’s year-end financial reporting to the
Office of the State Comptroller contained significant errors.
• The Department did not institute or implement
comprehensive standards to effectively secure and control the midrange computer
environment.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
WEAKNESSES IN INTERNAL CONTROL OVER FINANCIAL REPORTING
The Department’s year-end financial reporting in accordance
with generally accepted accounting principles (GAAP) to the Office of the State
Comptroller contained significant errors in the determination of certain
year-end account balances and note disclosures.
During the audit of the June 30, 2010 financial statements
and testing of workers’ compensation liability and automobile liability
information, the auditors noted material weaknesses and significant
deficiencies resulting from the Department’s failure to establish adequate
internal control over the accumulation of information necessary for the proper
determination of year-end liabilities as follows:
• During the auditor’s testing of the workers’ compensation
liability, the auditors noted an error in the calculation resulting in an
understatement of $17.790 million in the General Revenue Fund and $4.447
million in the Road Fund. The fiscal
year 2010 financial statements have been adjusted to correct the $22.237
million overstatements.
• During the auditor’s testing of the workers’ compensation
liability, the auditors noted the Department did not have a formal evaluation
or estimation process for claims (injuries having occurred prior to year-end)
which were pending or were considered to be in the process of being
awarded. The Department calculated the
workers’ compensation liability for pension-type awards based primarily on
awards which have been settled as of the fiscal year end or very soon
thereafter. Governmental accounting
requires the Department to determine whether it is probable, reasonably
possible, or remote that a liability has been incurred as of the date of the
financial statements. If the Department
determines it is probable that a liability has occurred and an amount can be
reasonably estimated, such amount should be accrued as of the financial
statement date. The Department’s
financial statements were subsequently adjusted to include additional workers’
compensation liabilities of $33.363 million in the General Fund and $8.341
million in the Road Fund, representing an estimate of the total liability based
on historical averages. While the
auditors do believe the financial statements are fairly stated at June 30,
2010, the methodology does not necessarily result in a reasonable estimate of the
liability due to the wide range of potential settlement outcomes. The estimate would be more accurate if
calculated based on projected outcomes based on the facts and circumstances
inherent in the individual claims. At
June 30, 2010 the Department reported a total of 226 unsettled claims of which
a portion are likely to result in a pension-type award.
• The Department is responsible for reporting liabilities
arising from accidents involving State employees. While testing large (>$25,000) Automobile
Liability reserves at June 30, 2010, the auditors noted large claim payments
that were classified as routine and improperly included in the calculation of
the contingent liability for routine claims resulting in an overstatement of
the auto liability for routine claims of approximately $10,000.
• During testing, the auditors noted several other errors in
the preparation of the Department’s internal service fund financial
statements. The errors included
improperly calculating the amount reported as “invested in capital assets, net
of related debt,” overstating accounts payable, and errors in the calculation
of the future minimum lease payments in the operating leases footnote. The errors noted were not individually significant
to the financial statements taken as a whole; however, the Department did not
have effective controls over the reconciliation and review functions to ensure
amounts were properly reported at June 30, 2010. (Finding 1, pages 48-51 of the Financial
Report) This finding was first reported
in 2007.
We recommended the Department implement procedures to ensure
GAAP Reporting Packages are prepared in a complete and accurate manner and
information provided to other agencies and the Office of the State Comptroller
for financial reporting purposes is complete and accurate. Additionally, we recommended the Department
evaluate pending workers’ compensation claims on a case-by-case basis to ensure
the calculation of the year-end liability is accurate and representative of the
probable loss to be incurred on such outstanding claims.
Department officials concurred with our recommendation and
stated that they have addressed each of the control recommendations. (For the previous Department response, see
Digest Footnote #1)
INADEQUATE SECURITY AND CONTROL OVER THE MIDRANGE
ENVIRONMENT
The Department did not institute or implement comprehensive
standards to effectively secure and control the midrange environment.
Although it has been five years since the consolidation, the
auditors continue to note inadequate security over the midrange
environment. Specifically, during the
auditor’s review, the auditors noted:
• Comprehensive standards to effectively secure and control
the midrange environment had not been implemented across the midrange
environment.
• Password length and content requirements were lacking.
• Some administrative and user accounts did not require
passwords.
• Servers were not updated with the current vendor
recommended patch or service pack levels. (Finding 2, pages 52-53 of the
Financial Report) This finding was first
reported in 2007.
We recommended the Department institute and implement
comprehensive standards to effectively secure and control the midrange
environment for itself and consolidated agency systems. In addition, we recommended the Department
formally communicate with consolidated agencies to determine their specific
security requirements, and develop and implement guidelines that outline both
the agencies' and the Department's responsibilities and provide a means for
consolidated agencies to verify that security and integrity controls in the
midrange environment are suitable and meet specific application requirements.
The auditors specifically recommended the Department: (1)
standardize password length and content requirements and ensure all accounts
require a password and (2) update servers to current vendor recommended patch
or service pack levels.
Department officials concurred with our recommendation and
stated that they will continue to strive toward standardization and maturity in
the midrange environment to improve security.
(For the previous Department response, see Digest Footnote #2)
OTHER FINDINGS
The remaining finding is reportedly being given attention by
the Department. We will review the
Department’s progress toward the implementation of all our recommendations in
our next engagement.
AUDITORS’ OPINION
Our auditors stated the Department’s financial statements as
of and for the year ended June 30, 2010 are fairly presented in all material
respects.
WILLIAM G. HOLLAND
Auditor General
WGH:TLD:pp
SPECIAL ASSISTANT AUDITORS
Sikich, LLP were our special assistant auditors.
DIGEST FOOTNOTES
#1 –Weaknesses in Internal Control Over Financial Reporting
–Previous Department Response
The Department concurs.
The Workers Compensation liability calculation was revised in the
current year to include full liability for lifetime awards. The new calculation contained a duplicate
line creating an overstatement of the liability. The Department provided a revised liability
calculation and required adjustments to the Office of the Comptroller. A revised liability calculation template is
in place for next fiscal years. The
Department is implementing an end-of-year review process for auto liability
claims which will reduce the chance for error in estimating claim
liabilities. All financial reports will
be more closely reviewed before transmission to the Office of the Comptroller
so that adjustments are correct and amounts are recognized in the appropriate
fiscal year for financial reporting.
#2 –Inadequate Security and Control Over the Midrange
Environment – Previous Department Response
The Department concurs and will continue to strive toward
standardization and maturity in the midrange environment. In order to provide immediate benefit of
physical environment control, DCMS relocated the non-standard server platforms
into its data center which led to the need to support multiple, non-standard
environments. Many of the underlying
causes are a result of the decision to relocate servers prior to
consolidation. The current Architectural
Review Board, Service Engineering Unit, and I.T. Governance process will
continue efforts to implement standards, establish appropriate documentation
and guidelines, and communicate with agencies.
The recent purchase and installation of a comprehensive compliance
monitoring product will help control users with security administration
authority; identify users that should be deactivated for non-use, and help DCMS
track server patch and service pack levels.
As staff resources and budgets permit, the Department plans to schedule
an enterprise assessment of its security controls.