REPORT DIGEST ILLINOIS DEPARTMENT OF HEALTHCARE AND FAMILY SERVICES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2016 Release Date: March 9, 2017 FINDINGS THIS AUDIT: 4 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 3 -- 4 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 3 -- 4 FINDINGS LAST AUDIT (Government Auditing Standards Findings only): 4 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (16-001) The Department and the Department of Human Services lacked internal controls over the operation of the State of Illinois’ Integrated Eligibility System to sufficiently prevent or detect defects that caused inaccurate determinations of eligibility. • (16-002) The Department and the Department of Human Services failed to implement adequate security, change management, and recovery controls over the State of Illinois’ Integrated Eligibility System. • (16-003) The Department did not obtain or conduct timely independent internal control reviews over its external service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INACCURATE DETERMINATION OF ELIGIBILITY The Department of Healthcare and Family Services and the Department of Human Services (Departments) lacked internal controls over the operation of the State of Illinois’ Integrated Eligibility System to sufficiently prevent or detect defects that caused inaccurate determinations of eligibility. In order to obtain social services, individuals are evaluated on many financial and non-financial criteria. To test the accuracy of IES’ determination of eligibility for benefits, we selected a sample of a subset of non-financial eligibility criteria (residency, citizenship, and social security information). After testing all individuals approved within IES from July 1, 2015 to June 30, 2016, we noted multiple defects which resulted in individuals being improperly approved for certain programs. The defects identified resulted in inappropriate expenditures being made to or on-behalf of individuals. During Fiscal Year 2016, the inappropriate expenditures paid by the Departments totaled $8,003,585 for 2,198 distinct cases. (Finding 1, pages 45-47) We recommended the Departments implement adequate controls over the operations of IES to provide a high level of assurance that all defects are rectified in a timely manner. We also recommended the Departments evaluate all eligibility criteria within IES so that cases are properly approved and caseworkers are properly trained to obtain and retain documentation in support of case eligibility determination. The Departments accepted the recommendation and stated they have taken steps to address issues noted by the auditors. LACK OF CONTROLS OVER THE INTEGRATED ELIGIBILITY SYSTEM The Department of Healthcare and Family Services and the Department of Human Services (Departments) failed to implement adequate security, change management, and recovery controls over the State of Illinois’ Integrated Eligibility System (IES). During the prior audit, we determined the Departments had not implemented adequate controls over security, change management, and disaster recovery. During the current audit, the auditors determined the Departments had not taken appropriate corrective action to correct these weaknesses. Some of the critical deficiencies we noted are as follows: • Access Security Control: We identified individuals and developers with unneeded or inappropriate access rights. Furthermore, the Departments’ own review noted issues with separation of duties, inappropriate access rights, security administration, and access rights documentation. • Infrastructure Security: We identified servers running outdated operation systems, running outdated or lacking antivirus software, and not being backed up. In addition, the development vendor and subcontractor had administrative rights to the production environment and only one State employee had access to the IES production environment. • Change Management: The Departments had not developed change management policies and procedures for IES modifications. Additionally, a review by the Departments concluded the vendor and subcontractor made changes to IES that were not approved by the State. • Disaster Recover: The Departments did not conduct testing of IES’ disaster recovery plan to ensure it could be recovered in the event of an outage. (Finding 2, pages 48-49) We recommended the Departments establish and maintain adequate controls over the security, availability, integrity, and confidentiality of IES data. The Departments accepted the recommendation and stated they have taken steps to address issues noted by the auditors. LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Department of Healthcare and Family Services (Department) did not obtain or conduct timely independent internal control reviews over its external service providers. During testing, we noted some of the following: • The Department did not obtain Service Organization Control (SOC) reports or conduct independent internal control reviews of all the external service providers. • As of June 30, 2016, the Department had not performed an analysis to determine the need to obtain information as to subservice organizations’ internal controls. • All agreements between the Department and the external service providers did not contain a requirement for an independent review to be completed. (Finding 3, pages 50-51) We recommended the Department obtain or perform independent reviews of internal controls associated with third party service providers at least annually. In addition, we recommended the Department assess and obtain applicable reports over the internal controls in place at the subservice organizations. The Department accepted the recommendation. OTHER FINDINGS The remaining finding is reportedly being given attention by Department personnel. We will review progress toward implementation of our recommendation in our next Audit/Examination. AUDITOR’S OPINION Our auditors stated the financial statements of the Department of Healthcare and Family Services as of June 30, 2016, and for the year then ended, are fairly stated in all material respects. This financial audit was conducted by the firm of Sikich LLP. BRUCE L. BULLARD Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JV