REPORT DIGEST DEPARTMENT OF STATE POLICE COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED: JUNE 30, 2016 Release Date: May 25, 2017 FINDINGS THIS AUDIT: 13 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 2 -- 2 Category 2: 6 -- 5 -- 11 Category 3: 0 -- 0 -- 0 TOTAL: 6 -- 7 -- 13 FINDINGS LAST AUDIT: 11 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This report relates to the Compliance Examination of the Department of State Police for the two years ended June 30, 2016. SYNOPSIS • (16-1) The Department did not exercise adequate control over the recording and reporting of its State property and equipment. • (16-2) The Department did not properly maintain and report accounts receivable records for the Road Fund. • (16-5) The Department did not maintain adequate security controls over computer systems to safeguard confidential information. • (16-8) The Department did not exercise adequate controls over voucher processing. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NEED TO IMPROVE CONTROLS OVER PROPERTY AND EQUIPMENT The Department of State Police (Department) did not exercise adequate control over the recording and reporting of its State property and equipment. Some of the items noted follow: • 60 of 60 (100%) items listed as lost or missing could possibly have confidential information stored on them. • The Department was unable to reconcile differences noted between the Expenditure by Quarter Report and the Agency’s Report on State Property (C-15) Reports. • The Department’s property records did not agree to the C-15 Reports filed with the Office of the State Comptroller. • 18 of 18 (100%) capital lease copiers tested, totaling $95,013, were not reported on the C-15 Reports • 30 of 60 (50%) vouchers, totaling $2,474,050, included items that were not added to the Department’s inventory records. • 44 of 60 (73%) items, totaling $31,639,604, were added to the Department’s inventory records between 2 and 358 days late. • Annual Certifications of Inventory could be inaccurate based upon failure to perform reconciliations of the Department’s property records. • 16 of 60 (27%) items, totaling $33,760, were reported on the Annual Certifications of Inventory as being unable to be located. • 17 of 30 (57%) Accounting for Leases- lessee Forms (SCO560), totaling $93,726, included maintenance cost in the rent per period input on the SCO-560 form. • 4 of 60 (7%) items located within the Department were not found on the Department’s property records. • The Department’s property control manual does not reference the services that the Public Safety Shared Services Center performs for the Department. (Finding 1, pages 9-13) This finding was first reported in 2002. We recommended the Department develop procedures to immediately assess if a computer may have contained confidential information whenever it is reported lost, stolen, or missing during the annual physical inventory, and document the results of the assessment. Also, the Department should ensure all equipment is accurately and timely recorded or removed from the Department’s property records and ensure accurate reports are submitted to the Comptroller. Further, the Department should update its property control manual and continue to strengthen controls over the recording and reporting of its State property and equipment by reviewing their inventory and recordkeeping practices to ensure compliance with statutory and regulatory requirements. Department management concurred with the finding and recommendation and stated they continue to struggle with the effects of the central property control unit being located outside of the agency within the Public Safety Shared Services Center therefore delaying processing of paperwork as well as removing property control subject matter experts from the agency. (For the previous Department response, see Digest Footnote #1.) INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE The Department did not properly maintain accounts receivable records for the Road Fund (Fund) and failed to accurately report accounts receivables on the Quarterly Summary of Accounts Receivable Reports (Reports) to the Office of the Comptroller. During testing, we noted the accounts receivable records for the Fund were incomplete. The Department did not post all new billings or payments received against the receivable balances which resulted in the accounts receivable listing being inaccurate. The Department’s estimate of accounts receivable for the Fund was $1,020,000 at June 30, 2015 and $0 at June 30, 2016. (Finding 2, pages 14-15) This finding was first reported in 2010. We recommended the Department keep accurate and detailed records of all billings and the corresponding collections to facilitate proper reporting of accounts receivable activity. Further, the Department should strengthen procedures and allocate necessary resources to properly post payments. Department management concurred with the finding and recommendation and stated accounts receivable reporting is a function of the Public Safety Shared Services Center (PSSSC). The Department will work with PSSSC to develop a plan to address the ongoing issues and together they will continue to work to ensure accurate and timely reporting of accounts receivable. (For the previous Department response, see Digest Footnote #2.) FAILURE TO MAINTAIN SECURITY CONTROLS OVER COMPUTER SYSTEMS The Department did not maintain adequate security controls over computer systems to safeguard confidential information. During testing, we noted the Department: • Did not have a mechanism in place to ensure electronically transmitted information was secured or encrypted, other than Law Enforcement Agencies Data System (LEADS) information. • Had not deployed encryption software on all laptops and data at rest. • Had not ensured surplus equipment was secured and tracked prior to disposal. Additionally, the Department had not ensured leased equipment was properly wiped prior to returning it to the vendor. • Had not ensured servers, switches, and firewalls were running on supported hardware, current operating systems, and current antivirus software. • Had not effectively implemented available security controls; password content and change interval settings did not conform to policy requirements, a powerful default administrator account had not been disabled, and individuals’ network access was not timely deactivated. (Finding 5, pages 20-21) This finding was first reported in 2010. We recommended the Department: • Install automatic encryption software on all laptops and data at rest, and secure and encrypt confidential data transmitted through the network. • Implement procedures to ensure that surplus equipment is secured and properly tracked while awaiting disposal. • Implement procedures to ensure all leased equipment is properly wiped prior to return. • Ensure network equipment is running supported hardware, operating systems, and antivirus software. • Ensure password security content and change interval settings conform to policy requirements. • Disable the default administrator account. • Timely deactivate user’s network access upon termination. Department management concurred with the finding and recommendation and stated they recognize the need to maintain adequate security controls. Many of the recommendations are currently being implemented or being planned as a part of the statewide consolidation. (For the previous Department response, see Digest Footnote #3.) VOUCHER PROCESSING WEAKNESSES The Department did not exercise adequate controls over voucher processing. Some of the conditions noted follow: • 47 of 238 (20%) Fiscal Year 2015 vouchers tested, totaling $5,800,978, were approved for payment 1 to 254 days late. • 51 of 215 (24%) Fiscal Year 2016 vouchers tested, totaling $2,246,074 were approved for payment 4 to 277 days late. • 11 of 196 (6%) Fiscal Year 2015 vouchers tested, totaling $415,161, accrued required interest charges of $2,933 which were not paid by the Department. • 18 of 177 (10%) Fiscal Year 2016 vouchers tested, totaling $1,254,358, accrued required interest charges of $16,467 which were not paid by the Department. (Finding 8, pages 28-29) This finding was first reported in 2004. We recommended the Department ensure vouchers are approved within the required time frame and the required interest is paid. Department management concurred with the finding and recommendation and stated voucher processing begins within the Department and is finalized at the Public Safety Shared Services Center (PSSSC). (For the previous Department response, see Digest Footnote #1.) OTHER FINDINGS The remaining findings pertain to: 1) delinquent accounts receivable were not aggressively pursued, 2) lack of project management over information technology projects, 3) weaknesses in change management policies, procedures and practices of computer systems, 4) noncompliance with specific statutory mandates, 5) inadequate controls over monthly accounting reconciliations, 6) failure to timely process and record cash receipts, 7) failure to follow policies and procedures over asset seizures and forfeitures, 8) inadequate controls over contracts, and 9) contingency planning weaknesses related to recovery of computer systems. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2016, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for findings 2016-001 and 2016-002. Except for the noncompliance described in these findings, the accountants stated the Department complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by West & Company, LLC. JANE S. CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:SW DIGEST FOOTNOTES #1 NEED TO IMPROVE CONTROLS OVER PROPERTY AND EQUIPMENT – Previous Department Response 2014: The ISP concurs. The Public Safety Shared Services Center (PSSSC) will continue to work to process property transactions within the allowable timeframes and ensure accurate information is entered into the system. ISP will need to ensure that all requested documentation is provided to Property Control in a timely manner so new items may be added to the system. The ISP continues to struggle with the effects of the central property control unit being located outside of the agency within the PSSSC therefore delaying processing of paperwork as well as removing property control subject matter experts from the agency. #2 INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE REPORTING – Previous Department Response 2014: The ISP concurs. Accounts receivable reporting is a function of PSSSC. We will continue to work to ensure accurate and timely reporting of accounts receivable. #3 FAILURE TO MAINTAIN SECURITY CONTROLS OVER COMPUTER SYSTEMS AND CONFIDENTIAL INFORMATION – Previous Department Response 2014: The ISP concurs. The ISP will explore possibilities to upgrade software solutions and support resources to strengthen security controls over computer systems. The ISP will work to ensure all Departmental policies regarding security controls and safeguards over confidential information are adhered to. #4 VOUCHER PROCESSING WEAKNESSES – Previous Department Response 2014: The ISP concurs. The PSSSC will continue to work to process vouchers in a timely manner. There was significant staff turnover in the vouchering division that contributed to the untimely processing. ISP will need to ensure that cost center staff are submitting vouchers to the PSSSC in a timely manner for processing.