REPORT DIGEST

DEPARTMENT OF CHILDREN AND FAMILY SERVICES

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2018

Release Date:  August 22, 2019

FINDINGS THIS AUDIT:  3

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  3 -- 0 -- 3
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  3 -- 0 -- 3

FINDINGS LAST AUDIT: 0

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State laws
and regulations (material noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no internal
control issues but are in noncompliance
with State laws and regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Department of
Children and Family Services’ Financial
Audit as of and for the year ended June 30,
2018.  The Department of Children and
Family Services’ Compliance Examination
covering the two years ended June 30, 2018
will be released under separate cover.

SYNOPSIS

• (18-1) The Departments (HFS, DHS, DCFS,
DoA) failed to execute adequate internal
controls over the implementation and
operation of the State of Illinois’
Illinois-Michigan Program Alliance for Core
Technology system (IMPACT).

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

STATEWIDE FAILURE TO EXECUTE INTERAGENCY
AGREEMENTS AND PERFORM ESSENTIAL PROJECT
MANAGEMENT FUNCTIONS OVER PROVIDER
ENROLLMENT IN THE MEDICAID PROGRAM

The Department of Healthcare and Family
Services (HFS), the Department of Human
Services (DHS), the Department of Children
and Family Services (DCFS), and the
Department on Aging (DoA) (collectively,
the “Departments”) failed to execute
adequate internal controls over the
implementation and operation of the State
of Illinois’ Illinois-Michigan Program
Alliance for Core Technology system
(IMPACT). Specifically, management of the
Departments did not enter into interagency
agreements (IA) defining each agency’s
roles and responsibilities, and did not
perform essential project management
functions over the implementation of
IMPACT.

HFS’ and Delegated Agencies’ Roles

As set by the State of Illinois’ State Plan
under Title XIX of the Social Security Act
(State Plan) (Section 1.1), the State’s
designated agency responsible for
administering and supervising the
administration of the Medicaid Program is
HFS.  However, Section 1.1 of the State
Plan also allows for HFS to delegate
specific functions to other State entities
to assist with the administration of the
Medicaid Program, pursuant to a written IA
defining each agency’s roles and
responsibilities.  During our testing, we
identified the following delegated
agencies, which we will refer to as HFS’
Delegated Agencies, and examples of the
Medicaid services they provide which
utilizes IMPACT for enrollment of their
providers. DHS administers several human
service programs under the Medicaid
Program, including developmental
disabilities support services,
rehabilitation services, and substance
abuse (prevention and recovery) services.
DCFS administers the State’s child welfare
program which includes cooperating in the
establishment of Medicaid eligibility for
children who are wards of the State.  DoA
administers the State’s programs for
residents aged 60 and older, including Home
and Community Based Services to Medicaid
recipients who meet Community Care Program
requirements.

Auditor Testing and Results

In order to determine if the Departments
complied with federal and State laws,
rules, and regulations when they developed,
implemented, and operated IMPACT, we
reviewed the Departments’ applicable
policies and procedures governing IMPACT.
Our testing identified the following
material weaknesses in internal control:

• The Departments did not have current,
formal written agreements defining the
roles and responsibilities of HFS or its
Delegated Agencies of the Medicaid Program.

• While DHS utilized IMPACT to formally
approve providers for the purposes of
granting payments of their Medicaid claims,
it did not utilize IMPACT as its book of
record or rely on it to verify the
providers met certain federal requirements.
In this instance, the book of record means
the mandatory system designated by HFS to
be used for the tracking of the State’s
activities, events, or decisions when
approving or denying the enrollment of
Medicaid providers. When we inquired of DHS
as to why it did not retain the
documentation within IMPACT to support its
determination of enrollment, DHS management
stated it chose to maintain the supporting
documentation outside of IMPACT as it could
not rely on IMPACT.

• When we inquired of DCFS and DoA as to
what their processes were regarding the use
of IMPACT, they both stated they did not
use IMPACT after formally approving the
providers for the purpose of granting
payments of their Medicaid claims. They
both believed HFS was doing the subsequent
review of and maintenance of provider
enrollment information for them. After
asking HFS to confirm if DCFS’ and DoA’s
statements were accurate, HFS management
stated that was not the case and both DCFS
and DoA had the responsibility to
subsequently review their providers
eligibility for enrollment in the Medicaid
program.

• The Departments implemented IMPACT
despite the inability of IMPACT to allow
Illinois officials to generate customary
and usual system internal control reports,
including such information as provider
data, security measures, or updates made to
IMPACT. The Departments must go through the
third party service provider (TSP) in order
to obtain any reports needed by the State.

• Based on testing of the documented
procedures governing IMPACT, we noted the
following:

– the procedures only addressed the actions
that should have been taken by HFS and did
not include the procedures to be followed
or taken by the Delegated Agencies,
– the procedures contained contradictory
provisions, and
– the procedures did not depict the actual
actions taken by HFS staff during the audit
period.

• The Departments failed to establish and
maintain adequate general information
technology controls over IMPACT.

• The Departments had inadequate project
management over the implementation of
IMPACT. According to the Intergovernmental
Agreements, Amendments, and Statements of
Work signed between HFS and the TSP, who
maintains and hosts IMPACT, the TSP was to
provide HFS various deliverables throughout
the implementation of the project for its
timely review and approval.   During our
testing of the deliverables required to be
provided, we noted the following:

– HFS did not receive 9 of the 60 (15%)
required deliverables,
– For 39 of the 51 (76%) deliverables
received, there was no supporting
documentation to demonstrate HFS had
approved them, and
– One of the 51 (2%) deliverables received,
the PE Implementation Plan, was noted as
“draft”. As a result, HFS does not have
supporting documentation to show it
received and approved the “final” version
of the deliverable.  The purpose of the PE
Implementation Plan was to define the
overall approach for the implementation of
the PE module of IMPACT.

• As a result of inadequate project
management, the Departments did not
implement adequate security controls over
IMPACT.

• The Departments did not design and
establish an adequate internal control
structure over provider enrollment
determination such that sufficient and
appropriate evidence, maintained in a
paperless format, existed to support each
provider met various compliance
requirements at the time when the
Departments determined each provider’s
eligibility. Further, management at the
Departments failed to adequately monitor
manual provider enrollment determinations,
as (1) staff did not consistently document
their review of the provider applications
in accordance with HFS’ Process Checklists
and (2) HFS did not establish a system of
supervisory reviews of work performed by
staff.

Failure to execute IAs and failure to
perform essential project management
functions could expose the State to
unnecessary and avoidable litigation,
approval of ineligible providers, excessive
expenditures, over-reliance on contractors,
and could result in a system that does not
meet the needs of the State and the
individuals dependent on the State for
Medicaid services. In addition, the
Departments’ lack of due diligence in
performing project management
responsibilities has led to a significant
increase in project timeline and associated
costs.  (Finding 1, pages 54-60)

We recommended management of the
Departments execute detailed IAs which
define the roles and responsibilities of
each agency regarding the Medicaid Program.
The IAs should sufficiently address
necessary procedures to enforce monitoring
and accountability provisions over IMPACT
as required by the Code of Federal
Regulations, the State Plan, and the Act so
the enrollment of providers offering
services to recipients of the Medicaid
program is carried out in an effective,
compliant, efficient, and economical
manner. We further recommended the
Departments obtain and review/approve the
remaining deliverables from the TSP and, in
the future, the Departments should
establish adequate controls over project
management for the development and
implementation of major projects, such as
IMPACT.

Department officials agreed with the
recommendation and stated they look forward
to discussions and will work towards
executing agreement(s) that will define its
role, responsibilities and cooperation with
other State agencies with regard to IMPACT
and the State’s Medicaid Program.

OTHER FINDINGS

The remaining findings pertain to
inadequate general information technology
controls over IMPACT and insufficient
review and documentation to provide
enrollment determinations.  We will review
the Department’s progress towards the
implementation of our recommendations in
our next audit.

AUDITOR’S OPINION

The auditors stated the financial
statements of the Department as of and for
the year ended June 30, 2018, are fairly
stated in all material respects.

This financial audit was conducted by
Sikich, LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:APA