DEPARTMENT OF EMPLOYMENT SECURITY
For the Year Ended June 30, 2010
Summary of Findings:
Total this audit: 1
Total last audit: 3
Repeated from last audit: 1
Release Date: February 10, 2011
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
This report covers our financial audit of the Department of Employment Security’s Non-Shared Funds for the years ended June 30, 2010. A State compliance examination covering the two years ended June 30, 2011 will be performed next year.
• The Department did not properly restrict the use of the Super ID access to its information systems.
• In July 2009 the State of Illinois began receiving repayable advances from the Federal Government for the Illinois Unemployment Compensation Trust Fund. At June 30, 2010, this amount totaled approximately $2,239,582,000.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INADEQUATE CONTROLS OVER COMPUTER SECURITY
The Department of Employment Security (Department) did not properly restrict the use of the Super ID access to its information systems.
The Information Services Bureau (ISB) was responsible for the development and maintenance of the Department’s information systems and preserving the integrity and security of information warehoused within those systems. The Department processed approximately $1.8 billion in employer unemployment tax revenue contributions and $8.3 billion of unemployment payments in fiscal year 2010.
As noted in prior years, the managers of application development had access to the production environment. This access was granted through the use of Super IDs, which allowed full access to all production software and data tables in the production environment. The Department had issued five Super IDs. Managers allowed their staff to utilize these accounts by sharing the password.
During the audit period we found that ISB programmers continued to share and use Super IDs on a non-emergency basis in the production environment to resolve transactional or application-related problems. The usage even increased by 35% compared to approximately the same period last year. As a compensating control, the Support Services Division Manager compared the system log to an independent log which documented the use and approval for each instance of access to the production environment. We tested the independent log and noted the supporting approval documents.
The frequent use of the Super IDs increased the risk of unauthorized access to systems and data which could jeopardize the integrity of the Department’s resources. Programming staff should generally be limited to accessing only the information specifically required to complete their assigned system development projects. (Finding 1, Pages 39-40) This finding was first reported in 2008.
We recommended that the Department allocate the resources necessary to correct day-to-day transactional and applications-related information systems problems, without compromising the security of those systems by over utilizing Super ID access rights. Further, we recommended that the use of the Super ID be restricted to emergency uses as required by Department policy.
Department officials accepted the recommendation and stated that system and programming changes have been made that have driven down the number of transactional problems that resulted in non-emergency Super ID utilization, and they will continue to rely on existing compensating controls while working to minimize the related transactional problems. (For the previous Department response, see Digest footnote #1)
Our auditors stated the financial statements present fairly, in all material respects, the financial position of the Non-shared Funds of the Department of Employment Security as of June 30, 2010, and the changes in financial position and cash flows, where applicable, thereof for the year then ended.
WILLIAM G. HOLLAND
SPECIAL ASSISTANT AUDITORS
E.C. Ortiz & Co., LLP were our special assistant auditors.
#1 –Inadequate Controls Over Computer Security –Previous Department Response
We accept the recommendation. The Department will examine the resource implications of implementing the recommendation. Given the record volume of unemployment claimants in the current environment, the Department may occasionally need to use extraordinary measures in order to ensure timely service to claimants. In these cases, the Department will continue to leverage the compensating controls which are in place and currently provide detailed system access logs.