REPORT DIGEST DEPARTMENT OF REVENUE COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2018 Release Date: August 15, 2019 FINDINGS THIS AUDIT: 11 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 2 -- 2 -- 4 Category 2: 5 -- 2 -- 7 Category 3: 0 -- 0 -- 0 TOTAL: 7 -- 4 -- 11 FINDINGS LAST AUDIT: 10 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of the Department of Revenue for the two years ended June 30, 2018. A separate Financial Audit as of and for the year ended June 30, 2018 was previously released on May 23, 2019. In total, this report contains 11 findings, 3 of which were also reported in the Financial Audit. SYNOPSIS • (18-04) The Department did not have adequate internal controls over the disclosure and safeguarding of taxpayer information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER THE DISCLOSURE AND SAFEGUARDING OF TAXPAYER INFORMATION The Department of Revenue (Department) did not have adequate internal controls over the disclosure and safeguarding of taxpayer information. Specifically, we noted the Department provided unauthorized taxpayer information to another State agency, the Department was unable to provide a sufficient listing of other parties (not the public as a whole) it may have provided taxpayer information to during the examination period, and the Department failed to adequately secure working areas which contained taxpayer information. The Internal Revenue Code (Code) (26 U.S. Code §6103(a)) requires returns and return information to be confidential and no State officer or employee shall disclose return information for unofficial purposes. Further, the State of Illinois has disclosure statutes outlined within the Retailers' Occupation Tax Act (35 ILCS 120/11) and the Illinois Income Tax Act (35 ILCS 5/917). During statutory mandate testing over the Illinois Income Tax Act (35 ILCS 5/917), we noted the following: • As part of testing the Illinois Income Tax Act, we requested the Department provide a population of instances wherein information received from returns was made available to other parties (but not the whole public) during the examination period. Although the Department provided a population, documentation demonstrating the completeness and accuracy of the population could not be provided. Due to these conditions, we were unable to conclude that the population records were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.35). Even given the population limitations noted above, we tested a sample of instances wherein information received from returns was made available to other parties (but not the whole public). Our testing revealed the following error: • The Department provided Federal Tax Information (FTI) to the Department of Healthcare and Family Services (DHFS). Per the Income Tax Act (35 ILCS 5/917), the Department is allowed to send DHFS tax information for child support enforcement purposes in order to verify sources and amounts of income. However, we noted that from the fall of 2017 until it was discovered by the auditors in May 2018, the Department provided DHFS taxpayer information for all individuals who filed tax returns on a monthly basis. Specifically, this file included individuals who did not receive child support credit or services from DHFS. The Department’s data warehouse from which the data file was pulled is considered commingled with information received from the IRS, thus the information provided included accounts which contained FTI. In addition, during walkthroughs performed in our examination, we noted the following weaknesses: • While performing a walkthrough of controlled areas on December 14, 2018, we found physical access to the Fed/State Room was secured by a badge reader; however, the physical door was unlocked making the badge reader ineffective. • While testing controlled areas, we obtained populations of individuals who have badge access to the controlled areas. Nine out of 25 (36%) of the individuals selected for testing did not have adequate documentation to determine if their badge access to the controlled areas was appropriate. • During a walkthrough of the Willard Ice Building, we noted 4 instances of confidential information in open areas. (Finding 4, pages 21-23) This finding has been repeated since 2010. We recommended the Department ensure FTI received and provided is adequately protected from potential unauthorized access. We also recommended the Department continue to evaluate physical security over its controlled areas and confidential information to determine if policies and procedures for safeguarding the Department’s controlled areas and confidential information are adequate during business and non-business hours. The Department accepted the recommendation and noted during fiscal year 2019 additional barriers were installed restricting public access to operational areas which greatly reduces the risk of improper disclosure of taxpayer information. The Department also stated it will continue to evaluate physical security over controlled areas and confidential information to identify areas for improvement and will review its policies and procedures over the release of taxpayer information to other State agencies to aid in ensuring only authorized information is released and tracked properly. (For the previous Department response, see Digest Footnote #1.) OTHER FINDINGS The remaining findings pertain to complete populations not provided, inadequate controls over process, approval, and payment of vouchers, exceptions in testing personnel, inadequate control over contract obligation documents, lack of notification to taxpayers of available withholding tax credits, inadequate controls over processing and recording of State property and equipment, and a lack of agreement to ensure compliance with IT security requirements. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. AUDITOR’S OPINION The financial audit report was previously released. The auditors stated the financial statements of the Department as of and for the year ended June 30, 2019, are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2017, as required by the Illinois State Auditing Act. The accountants qualified their report on State Compliance for Findings 2018-001, 2018-002, 2018-004, and 2018-005. Except for the noncompliance described in these findings, the accountants state the Department complied, in all material respects, with the requirements described in the report. The financial audit and this compliance examination was performed by RSM US LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:jv DIGEST FOOTNOTES #1-2017 Controls and Safeguards over the processing of Taxpayer Information: The Department accepts the recommendation. Funding has been appropriated, and the Department is on target for a completion date within fiscal year 2018.