REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES Financial Audit For the Year Ended:  June 30, 2013 Compliance Examination For the Two Years Ended:  June 30, 2013 Release Date:   April 22, 2014 Summary of Findings: Total this audit: 18 Total last audit:  16 Repeated from last audit: 10 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217)   782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This report covers our financial audit for the year ended June 30, 2013 and compliance examination for the two years ended June 30, 2013 of the Department of Central Management Services. SYNOPSIS • The Department’s year-end financial reporting to the Office of the State Comptroller contained significant errors. • Emergency purchase affidavits were filed by the Department for purchases which only met the definition of emergency due to the Department’s inability to procure contracts in a timely manner. • The Department’s surplus of electronic equipment inventory was inadequately controlled. • The Department did not comply with all requirements in regards to audits of major systems of internal accounting and administrative controls. • The Data Security on State Computers Act’s certification requirements were not complied with. • The Department lacked adequate controls over the sale of surplus property. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS WEAKNESSES IN INTERNAL CONTROL OVER FINANCIAL REPORTING The Department’s year-end financial reporting in accordance with generally accepted accounting principles (GAAP) to the Illinois Office of the State Comptroller contained significant errors in the determination of certain year-end account balances and note disclosures. During our audit of the June 30, 2013 financial statements, we noted material weaknesses and significant deficiencies resulting from the Department’s failure to establish adequate internal control over the accumulation of information necessary for the proper reporting of financial information as follows: • The Department is responsible for recording a liability for workers’ compensation claims for injuries incurred before year-end that are probable of resulting in an award, including pension-type or lifetime awards.  The Department made mathematical errors in the calculation of the total estimated liability for pension-type awards resulting in an understatement of the liability of $13.5 million.  Furthermore, the Department continues to estimate the liability using historical information rather than an actuarially calculated liability of projected outcomes based on facts and circumstances inherent in the individual claims and by applying a consistent and supported assessment of those individual claims which may result in an overstatement or understatement of the liability.  Department officials have stated the errors are the result of inadequate time devoted to performing the calculation and inadequate review of the calculation. •           The Department administers health and dental insurance benefit programs in the Health Insurance Reserve Fund, the Teacher Health Insurance Security Fund, the Local Government Health Insurance Reserve Fund and the Community College Health Insurance Security Fund.  The Department conducted an inadequate review of the independent actuarial valuation report for unpaid claims liabilities for these funds to evaluate the overall reasonableness of the Department’s calculation of unpaid claims liabilities at June 30, 2013.  Significant variances were noted between the unpaid claims liabilities calculation for claims reported in the health insurance funds as prepared by the Department and the independent actuary. Individual plan variances ranged from the Department calculation exceeding the actuary calculation by $10.9 million to the actuary calculation exceeding the Department calculation by $6.5 million.  The Department calculation for the Teacher Health Insurance Security Fund exceeded the actuary’s calculation in total by $14.6 million.  Such variances were not adequately evaluated by the Department to determine if the calculations were reasonable or if the potential for factors which may cause divergent results were present.  Such factors could include, but are not limited to, inaccurate data provided to the actuary or invalid assumptions used in the valuation methodology.  In addition, the lack of an adequate evaluation conducted by the Department led to delays in obtaining a timely resolution as to whether the Department’s calculation of unpaid claims liabilities for health insurance claims appeared reasonably stated as of June 30, 2013.  Ultimately, the Department provided additional information to the actuary resulting in revised calculations by the actuary that supported the reasonableness of the Department’s calculations. • During our review, we noted other errors in the preparation of the Department’s financial statements.  The errors included a miscalculation in estimated receivables and overstatement of revenues.  While the Department’s internal control process did not identify all of the errors noted, the errors were not material to the Department’s financial statements taken as a whole. • Department personnel in the Office of Finance and Management received a memorandum from the Comptroller dated November 4, 2013 noting the following financial information was requested and not received as of the October 31, 2013 due date: – Illinois State Employees Group Insurance Program Actuarial Valuation Report as of June 30, 2013. – Teachers’ Retirement Insurance Plan of the State of Illinois Actuarial Valuation Report as of June 30, 2013. – Community College Insurance Plan of the State of Illinois Actuarial Valuation Report as of June 30, 2013. – Footnote disclosure and/or supplementary information relating to actuarially calculated amounts for the above listed health insurance plans.  (Finding 1, pages 14-17) [This finding was first reported in 2007] We recommended the Department utilize an actuary to perform the workers’ compensation liability calculation or allocate adequate time and resources to the preparation of the liability calculation for financial reporting purposes. We also recommended that the Department conduct appropriate reviews of the independent actuarial valuation report for unpaid claims liabilities for the State administered health insurance funds.  The Department should implement procedures and cross-training measures to ensure required financial information is prepared in a timely, accurate and complete manner and also enter into intergovernmental agreements with the retirement systems to formalize the process for obtaining timely information necessary for the completion of the other post employment benefit obligation calculations. The Department concurred with the recommendations and stated they were dedicated to providing accurate financial reporting information by the stipulated due dates.  The Department plans to evaluate the cost effectiveness of a contract with an actuary for assistance with future Workers’ Compensation liability calculations after it has an opportunity to evaluate the third-party vendor’s full year data.  The Department also agreed that performing a timely review of the actuarial valuation for unpaid claims data will support the reasonableness of the calculations. Further, the Department will work with the Administrative and Regulatory Shared Service Center to enhance GAAP procedure documentation and to ensure adequate cross-training and review is performed.  Lastly, the Department will continue to provide its portion of data to the actuary timely and will communicate timelines to all affected partners and update intergovernmental agreements with the retirement systems to incorporate actuary requested due dates to meet stipulated reporting due dates. (For the previous Department response, see Digest Footnote #1) AVOIDABLE USE OF EMERGENCY CONTRACTS The Department filed emergency purchase affidavits for purchases which were not emergencies, in violation of the Illinois Procurement Code. During our testing of emergency purchases, we identified 5 affidavits totaling $2,867,709 during fiscal years 2013 and 2012 for purchases, according to the guidelines set forth in the Illinois Procurement Code (30 ILCS 500/20-30), that only met the definition of an emergency due to the Department’s inability to procure contracts in a timely manner, thus creating the emergency situation.  The purchases made by the Department under the 5 emergency affidavits included telecommunication services, commodity purchases, and janitorial services. In the prior engagement we also noted cellular services were procured as emergency purchases. The Department continued to extend the contracts through June 13, 2013 as emergency purchases. In one instance, the Department failed to recognize an emergency situation in a timely manner, which resulted in cellular services rendered without a contract for 59 days. One instance was noted in which the Department continued a contract with a cellular vendor through subsequent renewals and emergency procurement for 11 years, despite legislation stating that the maximum duration for contracts shall not exceed 10 years. (Finding 4, pages 23-24) [This finding was first reported in 2008] We recommended the Department follow the Illinois Procurement Code and use the emergency provisions of the Illinois Procurement Code only in true emergencies and not due to inadequate planning. The Department concurs that the procurement approach for emergency contracts should only be utilized in true emergency situations. The Department stated that they have taken steps to minimize the use of emergency contracts by proactively managing complex procurements earlier in the procurement cycle.  (For the previous Department response, see Digest Footnote #2) INADEQUATE CONTROLS OVER ELECTRONIC SURPLUS PROPERTY The Department had not established adequate controls over the surplus of electronic equipment inventory. During our review of surplus electronic inventory, we noted: • Surplus electronic equipment was not offered to State agencies or to municipalities and units of local government, rather equipment was shipped directly to recycling vendors. • The Department’s Surplus Inventory System and associated procedures lacked fields and instructions to describe the condition of the electronic equipment in order for the Department to determine the usefulness of the equipment for agency transfer or offer to local government. • The Department’s Property Control Rules (44 Ill. Adm. Code 5010.1260) stated the proceeds from the sale of surplus EDP equipment were to be deposited into the Statistical Services Revolving Fund.  However, the Department transferred 102,367 electronic devices to the recycling vendors for the period ended June 30, 2013.  The recycling vendors reported revenues of $110,561 from the sale of electronic devices; however, the proceeds were not remitted to the Department or deposited into the Statistical Services Revolving Fund. • Agencies did not routinely receive certification from the vendor or Department to properly document the transfer of equipment and update agency inventory records within 30 days as required by the Department’s Property Control Rules (44 Ill. Adm. Code 5010.400).  (Finding 5, pages 25-27) We recommended the Department implement a process to review the condition of equipment prior to it being sent to the recycling vendor. Additionally, the Department should obtain the $110,561 from the recycling vendors from the sale of electronic devices.  The Department should also enhance the Surplus Inventory System to include more detailed information. The Department concurred with our recommendation and will review their process for identifying surplus property and clearly define surplus vs. scrap.  They will also review the proceeds earned from the sale of usable (surplus) equipment to ensure accordance with the Administrative Code. NONCOMPLIANCE WITH THE FISCAL CONTROL AND INTERNAL AUDITING ACT The Department did not comply with the Fiscal Control and Internal Auditing Act (FCIAA) that requires audits of major systems of internal accounting and administrative control. Prior to fiscal year 2013, certain risk assessment processes lacked sufficient documentation.  While corrections were made in response to prior examination findings, during the current period under examination the following compliance exceptions were noted: • The fiscal years 2013 and 2012 two year audit plan was not approved by the Director before the beginning of fiscal year 2012. • Prior to April 2012, the Department of Internal Audit (DIA) did not have a formalized risk assessment process in place to identify specific risks, major systems, or transaction cycles. • Prior to December 2012, the DIA could not provide documentation supporting their risk- assessment process for identifying major new electronic data processing systems and major modifications to those systems. • In both fiscal years 2013 and 2012, the DIA did not perform timely audits of all major projects identified.  Thirteen major projects were identified during that time; however, the DIA did not perform a pre-implementation audit for three of these major projects.  (Finding 8, pages 32-33) [This finding was first reported in 2006] We recommended the Department allocate sufficient resources to implement, improve, and document a formalized program of quality assurance and to allow for the timely completion of planned audits included in the approved risk- based audit plan. The Department concurred with our recommendation. The Division of Internal Audit has updated their policies and procedures to include risk assessment processes for developing the annual audit plan, identifying new and major modifications to IT systems and developing audit programs.  (For the previous Department response, see Digest footnote #3) NONCOMPLIANCE WITH THE DATA SECURITY ON STATE COMPUTERS ACT The Department did not comply with the certification requirements in the Data Security on State Computers Act (20 ILCS 450). During our review, we inquired with the Department regarding their process for ensuring the wiping of data drives.  The Department stated that they did not wipe the hard drives of the laptops or PCs.  Instead they relied on the recycling vendors to wipe the drives; however, the required written certification was not requested or obtained.  (Finding 12, pages 38-39) We recommended the Department ensure computer equipment is timely wiped of data.  In addition, written certifications should be completed and retained as required by the Act. The Department concurred and will work to establish procedures to ensure compliance with the Data Security on State Computers Act. INADEQUATE CONTROLS OVER THE SALE OF SURPLUS PROPERTY During our review of surplus vehicles, we noted a total of 41 Illinois Department of Transportation (IDOT) vehicles and one Illinois Department of Corrections (IDOC) vehicle were sold from surplus property. The sales prices ranged from $303 to $1,824 for a total of $28,073.  Per review of these surplus property sales, we noted the following: • There was no documentation to support the acceptance by the Department’s Property Control Division of the vehicles from IDOT or IDOC prior to the sale of the vehicles, as required by the Illinois Administrative Code (Code) (44 Ill. Adm. Code 5010.1120). • No documentation could be provided that the vehicles were accepted by the Department with the following items, as required by the Code (44 Ill. Adm. Code 5010.1120): – A set of keys; – the State credit card assigned to the vehicle; – a “Vehicle Acquisition & Change Report” for the vehicle completed by the possessing agency; and, – a “Mileage Certification Form” signed by the possessing agency head or designee. • There was no evidence of vehicles being offered to other State agencies or local governments prior to being sold, as required by 44 Ill. Adm. Code 5010.1140. • Controls do not appear sufficient to prevent one person from placing vehicles on iBid, the Department’s electronic auction website, and selling without varying levels of approval, as well as allowing for vehicles to be sold outside of the iBid system.  (Finding 18, pages 46-47) We recommended the Department follow the Illinois Administrative Code for the handling and sale of surplus vehicles and update procedures where necessary. Further, all sales of surplus property should be subject to levels of approval prior to being sold as surplus. The Department concurred with the recommendation. It is CMS’ position the equipment in question was not transferrable equipment and was in fact inoperable equipment. The condition of the vehicles in question deteriorated to such extent that no reasonable return on investment could be offered from units of local government. OTHER FINDINGS The remaining findings are reportedly being given attention by the Department.  We will review the Department’s progress toward implementation of our recommendations during our next audits. AUDITORS’ OPINION Our auditors stated the Department’s financial statements as of and for the year ended June 30, 2013 are fairly presented in all material respects. STATE COMPLIANCE EXAMINATION – ACCOUNTANTS’ REPORT The auditors qualified their report on State Compliance for finding 2013-001.  Except for the noncompliance described in this finding, the auditors state the Department complied, in all material respects, with the requirements described in the report. WILLIAM G. HOLLAND Auditor General WGH:ETL SPECIAL ASSISTANT AUDITORS Sikich LLP were our special assistant auditors. DIGEST FOOTNOTES #1 –Weaknesses in Internal Control Over Financial Reporting –Previous Department Response The Department agrees with the recommendation. The Department is continually assessing the financial reporting process and implementing procedures to improve upon accuracy. #2 -  Avoidable Use of Emergency Contracts The Department concurs. The contracts in question have been competitively awarded and signed. The Department has taken steps to minimize the use of emergency contract extensions by proactively managing complex procurements earlier in the procurement cycle. In addition, the Executive Ethics Commission now has an oversight and approval role regarding proper use of emergency contracts. #3  Noncompliance With the Fiscal Control and Internal Auditing Act The Department concurs with the recommendation. To address the recommendation Internal Audit (IA) plans to take corrective action by implementing the following processes by end of fiscal year 2012. To address documentation of changes to the annual audit plan, IA will complete Audit Change Forms to identify audits on the Fiscal Year (FY) 2012/2013 audit plan that were not performed and the reasoning for not performing the audits. These change forms will identify whether the audit was postponed until the next fiscal year or whether it was canceled from the plan. In addition, a change form will be completed to identify any new audits performed during the fiscal year that were not on the approved FY 12/13 Audit Plan. In addition, IA will further address the recommendation by sending transmittal letters for all audit reports issued and will maintain a log of email correspondence supporting and identifying the date of issuance. To address documentation of risk assessment process, IA will implement a risk assessment process which involves sending questionnaires to Bureau management and assessing areas of risks. The risk assessment will be utilized to create the FY 13/14 Audit Plan for the Director to approve prior to July 1, 2012. The audit plan will also identify FCIAA coverage areas to ensure audits of all major systems of internal accounting and administrative control are conducted at least once every two years. In addition, IA will obtain a listing of BCCS system implementations or modifications performed during FY12 and document the materiality determination to audit/or not. Going forward IA will develop a process for documenting the system materiality for determination of major system reviews on an on-going basis throughout the fiscal year.  In addition, IA will prepare a written annual report for FY 12, as required by FCIAA, and submit to the Director by September 30, 2012. All of these procedures will be updated and documented in the Internal Audit's Policy and Procedure Manual to be followed and carried out going forward.