Environmental Protection Agency

REPORT DIGEST

ENVIRONMENTAL PROTECTION AGENCY

FINANCIAL AND COMPLIANCE AUDIT

(In accordance with the Single Audit Act and OMB Circular A-133)

For the Year Ended:
June 30, 1999

Summary of Findings:

Total this audit 4

Total last audit 7

Repeated from last audit 3

Release Date:
March 9, 2000

State of Illinois
Office of the Auditor General

WILLIAM G. HOLLAND

AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General
Attn: Records Manager
Iles Park Plaza
740 E. Ash Street
Springfield, IL 62703

(217)782-6046 or TDD (217) 524-4646

This Report Digest is also available on
the worldwide web at
http://www.state.il.us/auditor

SYNOPSIS

EPA's Internal Audit department has not completed reviews of five significant internal control systems as required by the Fiscal Control and Internal Auditing Act.

The Agency did not have an adequate computer disaster recovery plan.

The Agency had inadequate procedures to ensure that property records were complete and accurate.

{Expenditures and Activity Measures are summarized on the reverse page.}

ENVIRONMENTAL PROTECTION AGENCY

FINANCIAL AND COMPLIANCE AUDIT

For The Year Ended June 30, 1999

EXPENDITURE STATISTICS	FY 1999	FY 1998
Total Expenditures (All Funds)	$340,228,757	$318,692,986
OPERATIONS TOTAL % of Total Expenditures	$179,224,894 52.68%	$141,968,181 44.55%
Personal Services % of Operations Expenditures Average No. of Employees	$35,708,059 19.92% 1,228	$35,939,552 25.31% 1,219
Other Payroll Costs (FICA, Retirement) % of Operations Expenditures	$9,762,997 5.45%	$8,714,565 6.14%
Contractual Services % of Operations Expenditures	$44,095,900 24.60%	$11,557,326 8.14%
All Other Operations Items % of Operations Expenditures	$89,657,938 50.03%	$85,756,738 60.41%
GRANTS TOTAL % of Total Expenditures	$161,003,863 47.32%	$176,724,805 55.45%
Cost of Property and Equipment	$29,243,791	$31,175,461
SERVICE EFFORTS AND ACCOMPLISHMENTS	FY 1999	FY 1998
AIR POLLUTION CONTROL Title V Permits issued………………………… State Permits/Certifications/Registrations Issued Facilities inspected Vehicle emission tests performed	582 7,000 3,000 1,575,000	530 3,699 2,811 1,752,000
LAND POLLUTION CONTROL Permits issued………………………………… Facilities inspected Cleanup programs: Federal superfund cleanup (State-lead) State cleanup projects completed Leaking Underground Storage Tanks: Incidents reported Household Hazardous Waste Collections………	757 4,720 1 6 1,935 7	829 5,800 - 8 1,626 26
WATER POLLUTION CONTROL Permits issued Facilities inspected Financial assistance: Wastewater loans issued Drinking water loans issued	8,421 1,585 35 28	*13,984 1,815 24 5
AGENCY DIRECTOR(S)
During Audit Period: Mary Gade (7/1/98 to 1/18/99) Thomas V. Skinner (1/19/99 to 6/30/99) Currently: Thomas V. Skinner

* Includes re-issuance of storm-water permits on a five-year cycle.

Reviews of administrative support services, purchasing, property, revenue and electronic data processing systems were not completed

No tests or updates to the Disaster Recovery Plan have been made since June 1993

$1,097,609 in installment purchases not recorded

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INCOMPLETE AUDITING OF INTERNAL CONTROL SYSTEMS

Internal Audit has not completed reviews of five significant internal control systems as required by the Fiscal Control and Internal Auditing Act. (FCIAA)

The FCIAA (30 ILCS 10/2003) requires the Agency to perform audits of major systems of internal accounting and administrative control on a periodic basis so that all major accounting systems are reviewed at least once every two years. FCIAA also provides for special audits of operations, procedures and other activities as directed by the chief executive officer. Of the major internal control systems applicable to the Agency, reviews of the administrative support services, purchasing, property, revenue, and electronic data processing systems were not completed. These systems are significant to the operations and functions of the Agency.

Incomplete auditing of all major internal control systems increases the risk that significant internal control weaknesses will exist and errors and irregularities may go undetected. (Finding 1, pages 20-22) This finding has been repeated since 1996.

We recommended the Agency complete reviews of all major systems of internal accounting and administrative controls at least once every two years as required by the Fiscal Control and Internal Auditing Act.

Agency officials disagreed with the list of systems of internal accounting and administrative control which the statutes require to be audited. They stated that they rely on the work of external auditors so as not to duplicate audit effort and feel that they have an effective internal audit program. We do not accept the Agency's position. The requirements of the law are clear. The Agency should comply with the statutory requirement and review all major systems of internal accounting and administrative control at least once every two years. (For the previous Agency responses, see Digest footnote #1.)

INADEQUATE COMPUTER DISASTER RECOVERY PLAN

The Agency did not have an adequate plan for reacting to disasters.

The Agency has approximately $7.6 million of computer equipment located at its facilities throughout the State. The Agency has approximately 1,274 microcomputers connected to local area networks (LANs) that process critical applications.

The disaster recovery and contingency plan is dated October 1992. The plan does not include recovery procedures for LANs. No tests or updates of the system have been made since June 1993. An alternative work site has not been agreed on and the names, addresses and phone numbers of essential personnel were not current.

A written and tested disaster recovery plan can greatly assist management in coping with service disruptions resulting from fires, floods, storm, power failures or vandalism. (Finding 2, pages 23-24) This finding has been repeated since 1996.

We recommended the Agency provide an effective disaster contingency plan for reacting to disasters.

Agency officials responded they plan to have a disaster recovery plan by September 1, 2000. (For the previous Agency responses, see Digest footnote #2.)

INADEQUATE PROCEDURES FOR PROPERTY AND EQUIPMENT

The Agency had inadequate procedures to ensure all property transactions were properly reflected in the property reports, and installment purchase agreements were not properly reported in the permanent property records.

One vehicle costing $11,525 had been transferred to surplus but remained on the fixed asset records, and one computer costing $7,100 was disposed of but remained on the property records. Also, the Agency did not properly report all property items acquired under installment purchase agreements. A total of $1,097,609 in installment purchases were not reflected on the permanent property records. In addition, the Agency Quarterly Fixed Asset Reports were not corrected to reflect a prior year posting error totaling $2,997,537 that had been corrected on the Agency permanent property inventory. As a result, the permanent property records have been understated and the Quarterly reports have been overstated. The Agency had not properly reconciled the property records to identify and correct the errors. (Finding 3, page 25)

The Agency accepted our recommendations to strengthen controls over property by improving the reconciliation process and implementation of other controls over deletions/dispositions of equipment.

OTHER FINDINGS

The remaining finding and recommendation is less significant and is being given attention by the Agency. We will review progress towards the implementation of our recommendations during the Agency’s next audit.

Stuart Gresham, Chief Internal Auditor, provided the responses to our findings and recommendations.

AUDITORS’ OPINION

Our auditors state the June 30, 1999 combined financial statements of the Agency are fairly presented.

____________________________________

WILLIAM G. HOLLAND, Auditor General

WGH:TEE:pp

SPECIAL ASSISTANT AUDITORS

Our special assistant auditors were Sikich Gardner & Co, LLP.

DIGEST FOOTNOTES

#1 INCOMPLETE AUDITING OF INTERNAL CONTROL SYSTEMS – Previous Agency Responses

1998: Accepted. We will continue to make the necessary adjustments in audit coverage to ensure that all significant control systems are audited while continuing to provide management with meaningful reviews of program operations.

1996: Accepted. The audit report states that Internal Audits did not perform adequate reviews of the personnel/payroll and property control systems during the two-year audit period. This finding is based on the fact that five audits of control systems were begun but not completed during the audit period. It is not unusual that some internal audits would span external audit periods. The Agency believes that the audits of our personnel/payroll and property control systems, although not completed by the end of the audit period, nevertheless met the requirements of FCIAA. In fact, corrective action had begun in FY96 based on those audits in progress, as problem areas were identified. Such corrective action is reflected, for example, in our response to Finding #6, relative to property control. Although we disagree with this finding with regard to exactly what is required under FCIAA, we will make every effort to comply with the recommendation in the future.

#2 INADEQUATE COMPUTER DISASTER RECOVERY PLAN – Previous Agency Responses

1998: Accepted. The Agency has been reviewing its use of information technology. As a result of that review, all network servers are being centralized into a single computer room to provide efficiency of operations, automated backup, and adequate physical and network security. With the completion of the centralization process, the disaster recovery process will be restarted and a disaster recovery plan should be completed and tested by December 31, 1999.

1996: Accepted. The Disaster Recovery Plan is being updated and expanded to include LAN-based applications. The updated plan will be tested upon completion and will be reviewed and updated annually.

The responsibility for updating the current Disaster Recovery Plan has been assigned to the Agency Security Officer to be completed by July 1, 1997. The updated plan will cover LAN-based systems. As of February 1, 1997, she has developed a work plan and an outline for the new Disaster Recovery Plan, and has begun to gather data on Agency systems.

The agreement with the Agency’s minicomputer vendor has been reviewed. In view of the Agency’s decision to upgrade the Laboratory Information Management System on a LAN-based platform, it has been determined that it will be more cost effective to redesign the remaining applications on the minicomputers than to maintain an agreement for a hot-spare. Redesign of these systems will proceed as staffing allows.

The Agency Security Officer is a member of a DCMS committee working on establishing a LAN recovery site at the State Fairgrounds. This site will allow the Agency to reestablish its LAN-based network and applications after a disaster and will replace the previously proposed work site at the Illinois Department of Public Aid.

Personnel changes, addresses, and phone numbers will be updated as part of the revision of the Agency Disaster Recovery Plan.

It is the responsibility of the Security Officer to review the plan annually, supervise testing, and update the plan as needed.