REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2019 Release Date: July 7, 2020 FINDINGS THIS AUDIT: 12 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 2 -- 0 -- 2 Category 2: 4 -- 5 -- 9 Category 3: 1 -- 0 -- 1 TOTAL: 7 -- 5 -- 12 FINDINGS LAST AUDIT: 9 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (19-1) The Department entered into interagency agreements that failed to adhere to the provisions of the Fiscal Control and Internal Auditing Act. • (19-2) The Department failed to determine premiums that will allow for the establishment of an actuarial sound reserve for the Community College Health Insurance Program. • (19-3) The Department did not demonstrate adequate controls over property and equipment. • (19-10) The Department had not implemented adequate internal controls related to cybersecurity programs and practices. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO ADHERE TO THE PROVISIONS OF THE FISCAL CONTROL AND INTERNAL AUDITING ACT The Department entered into interagency agreements that failed to adhere to the provisions of the Fiscal Control and Internal Auditing Act. During the engagement period, the Department entered into interagency agreements with the following designated State agencies to provide internal audit services. These agencies were required to maintain their own full-time program of internal auditing: • Illinois Department of Agriculture • Illinois Department of Corrections • Illinois Department of Financial and Professional Regulation • Illinois Department of Human Rights • Illinois Department of Labor • Illinois Department of Insurance • Illinois Finance Authority We noted the following issues with these interagency agreements: • The agreements ultimately resulted in these seven agencies not maintaining their own full-time internal audit function and not having their own CIA. • The Department did not obtain the Governor’s approval for the Department to provide professional internal auditing services to these State agencies. • The Department inconsistently established reimbursement arrangements for these agreements and did not follow any of the reimbursement arrangements in the interagency agreements. • The Department was not able to provide sufficient and appropriate audit evidence to document how they tracked the work performed and allocated the costs of their internal auditing services for these agencies. As a result, we were unable to audit the cost of the Department’s internal audit services provided to these agencies. (Finding 1, pages 13-17) We recommended the Department not enter into interagency agreements which result in agencies not maintaining their own full-time internal audit function. We also recommended any other services provided to agencies be done only with the approval of the Governor. Finally, we recommended the Department update its billing practices to ensure support for all billings is created and maintained. The Department accepted the recommendation and stated they respect the Attorney General’s Opinion. The Department also stated they have encouraged all agencies to find a qualified Chief Internal Auditor and that during the audit period, they issued fifty audit reports to agencies that would have not otherwise had internal audits completed. FAILURE TO DETERMINE PREMIUMS THAT ALLOW FOR ESTABLISHMENT OF AN ACTUARIAL SOUND RESERVE The Department failed to determine premiums that will allow for the establishment of an actuarial sound reserve for the Community College Health Insurance Program. At June 30, 2019 and 2018, the Community College Health Insurance Program had a fund deficit of $74.9 million and $64.5 million respectively. Additionally, the Community College Health Insurance Program experienced losses of $10.3 million and $13.2 million in fiscal years 2019 and 2018, respectively. The Community College Health Insurance Program does not have a reserve. (Finding 2, page 18) We recommended the Department either comply with the law by working with the Office of Management and Budget to obtain the necessary appropriation to supplement the Community College Health Insurance or seek legislative relief from the statutory requirement. The Department accepted the recommendation and stated they worked with the Governor’s Office of Management and Budget to draft and propose for introduction an amendment to the State Employees Group Insurance Act of 1971. The amendment is designed to provide for the establishment and maintenance of a reserve balance for the Community College Health Insurance Program. INADEQUATE CONTROLS OVER PROPERTY AND EQUIPMENT The Department did not demonstrate adequate controls over property and equipment during the engagement period. A few of the items we noted follows: • Two of 40 expenditures totaling $30,587 met the criteria for inclusion on the annual Certification of Inventory and Discrepancy Report but were omitted. • Forty-three of 60 assets tested were not entered into either the Common Inventory System or the Enterprise Resource Planning (ERP) timely. The late entry ranged from 6 to 5,782 days late. • The Department included four assets, totaling $28,792, on its June 30, 2019 Property Listing that were transferred throughout fiscal year 2019. • The Department did not provide all required information on the CMS Surplus Property Delivery Form for 4 of 60 items tested. • Two assets were assigned the same tag number. • For 2 of 60 deletions or transfers tested, the Department could not provide any supporting documentation. (Finding 3, pages 19-22) This finding has been repeated since 2002. We recommended the Department implement controls and procedures to ensure its additions are entered timely and accurately, deletions are properly recorded, and the Agency Report of State Property is timely prepared to comply with State statute and the Illinois Administrative Code. The Department accepted the recommendation and stated they plan to hire additional staff and provide needed ERP training to the Property Control Office. They also stated the current Property Control procedures and workflows are being evaluated for efficiency and effectiveness. In addition, the Department stated the definition of high theft equipment will be reevaluated and updated in the procedure manual and all equipment that does not meet the nominal value as determined by the State Property Control Act and JCAR will be removed from ERP if it does not meet the high theft designation. WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES The Department did not implement adequate internal controls related to cybersecurity programs and practices. As a result of the Department’s mission to support the State by delivering innovative, responsive and effective services that provide the best value for Illinois State government and the people it serves, the Department maintains computer systems that contain large volumes of confidential or personal information such as names, addresses, and Social Security numbers of the citizens of the State. During our examination of the Department’s cybersecurity program, practices, and control of confidential information, we noted the Department: • Had not classified its data to identify and ensure adequate protection of information. • Had not evaluated and implemented appropriate controls to reduce the risk of attack. • Had not ensured all staff members completed cybersecurity training upon employment and annually thereafter. • Had not developed a formal, comprehensive, adequate, and communicated security program to manage and monitor the regulatory, legal, environmental and operational requirements. (Finding 10, pages 34-35) The Department has the ultimate responsibility for ensuring confidential information is protected from accidental or unauthorized disclosure. Specifically, we recommended the Department: • Perform a comprehensive risk assessment to identify and classify data to ensure adequate protection of confidential or personal information most susceptible to attack. • Evaluate identified risks and implement appropriate controls to reduce the risk. • Ensure all staff members annually complete cybersecurity training as outlined in the Data Security on State Computers Act. • Establish and communicate the Department’s security program to manage and monitor the regulatory, legal, environmental and operational requirements. The Department accepted the recommendation. OTHER FINDINGS The remaining findings pertain to interagency agreements monitoring; performance appraisals; noncompliance with the State Employment Records Act; weaknesses related to personal services; untimely and inaccurate processing of receipts; inadequate review of external service providers; inadequate controls over electronic surplus property; and noncompliance with statutory mandates. We will review progress toward implementing all recommendations in the next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department of Central Management Services for the two years ended June 30, 2019, as required by the Illinois State Auditing Act. The auditors qualified their report on State Compliance for findings 2019-001 and 2019-002. Except for the noncompliance described in these findings, the auditors state the Department complied, in all material respects, with the requirements described in the report. This financial audit was conducted by Sikich, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:skm