ILLINOIS STATE TOLL HIGHWAY AUTHORITY
For the Year Ended:
Summary of Findings:
Total this audit 11
State of Illinois
WILLIAM G. HOLLAND
To obtain a copy of the Report contact:
(217)782-6046 or TDD (217) 524-4646
This Report Digest is also available on
ILLINOIS STATE TOLL HIGHWAY AUTHORITY
FINANCIAL AND COMPLIANCE AUDIT
For The Year Ended December 31, 1999
|FINANCIAL OPERATIONS (GAAP BASIS)||
Total Operating Revenue
|SIGNIFICANT ACCOUNT BALANCES (GAAP Basis)||
December 31, 1999
December 31, 1998
Accounts Receivable (net)
Property, Plant and Equipment (net)
Revenue Bonds Payable
|During Audit Period: Mr. Ralph C. Wehner (1/1/99 10/29/99) Mr.
Thomas Cuculich (10/29/99 Present)
Currently: Mr. Thomas Cuculich
Misappropriation of cash receipts at the lane could go undetected
We noted 24 days when cash deposits did not include the cash receipts from all toll plazas
Internal control procedures in the Money Room were inadequate
Damage fees are due the Authority
Receipts not deposited timely
Computer Disaster Recovery Plan did not insure accounting and public safety functions could be performed
These reports represent the results of our financial and compliance audit for the year ending December 31, 1999.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
FAILURE TO MAINTAIN DATA FOR CASH RECEIPT RECONCILIATION
The Authority failed to maintain data necessary for reconciliation of cash receipts.
During our testing, we noted in 1 out of 5 (20%) days selected for testing, equipment at toll plazas was reset nine times in order to make repairs. In all nine instances, information regarding the amount of cash receipts and the number of vehicles passing through the plaza lane was lost. This data is necessary to ensure that all cash receipts have been reconciled and accounted for. There was an average of 782 resets per month for the year ended December 31, 1999.
Failure to maintain adequate data results in the break down of the control function. Consequently, the Authority is unable to determine whether actual cash receipts from the plaza lane are appropriate based on vehicle volume. Therefore, any misappropriation of cash receipts at the lane could go undetected. (Finding 1, page 11)
Authority officials stated they are in the process of updating toll collection equipment which will provide battery backup to protect the equipment memory and help avoid the loss of data.
INCOMPLETE RECORDING OF CASH COLLECTED AND LACK OF PROCEDURES FOR REPORTING CASH BALANCING DIFFERENCES
The Authority did not always report the total daily cash collected for all plazas and did not have adequate written procedures for the resolution of cash balancing variances.
Due to the significant amount of cash flowing through the Money Room on a daily basis, undocumented procedures, especially for the resolution of variances, and incomplete recording of cash could result in misuse or loss of Authority funds. (Finding 2, pages 12-13)
We recommended the Authority: 1) document and strengthen existing procedures in the Money Room, 2) ensure these procedures are routinely communicated to all Money Room employees, and 3) include specific instructions regarding cash reporting and reconciliation issues.
Authority officials stated they are actively reviewing and revising activities, procedures, practices, and related internal controls pertaining to cash handling, where necessary. The internal audit review recommended various improvements in operations, and many have already been implemented. Also, an independent study from an outside consultant and an ongoing investigation by the Illinois State Police have provided different perspectives and recommendations that will be considered in the future implementation of tightened controls.
INADEQUATE MONITORING OF CONTRACTOR'S PERFORMANCE LEVEL
The Authority did not have adequate procedures to monitor its contractor's performance levels.
During our testing, we noted:
We recommended the Authority continue efforts to strengthen established procedures to monitor the contractor's performance. Authority officials stated they and the contractor have agreed to negotiate a settlement and apply the cost of damages as an offset to future billings of the current lease and maintenance agreement. Further, a system is currently being developed which will track damages. This system will be ready the third quarter of 2000.
DEPOSIT OF REVENUES COLLECTED
The Authority did not deposit moneys received in accordance with the time frame set by the Toll Highway Act (605 ILCS 10/24) and the Trust Indenture Bond Agreement.
During our testing, we noted 4 of 24 (17%) receipts in August and September were not deposited into the Treasury within 5 days of collection. Receipts of $1,320,259 were deposited 10 days after collection and receipts of $1,271,442 were deposited 11 days after collection.
The Toll Highway Act states that "except as otherwise provided in any bond resolution, all receipts and income derived from tolls, licenses, gifts, donations, concessions, fees, rentals, and all other revenues from whatever source derived, shall, within three days after receipt thereof, be paid to the Treasurer of the State of Illinois". In addition, the Authority's Trust Indenture Bond Agreement states "all revenues received by the Authority, other than investment income shall be delivered by the Authority to the Treasurer for deposit not more than five (5) business days after receipt". (Finding 4, page 16)
We recommended the Authority closely monitor established procedures to ensure the deposit of receipts in the required timeframe. Authority officials agreed with our recommendation, and stated ten new high-speed coin counting machines were purchased and installed. In addition, additional temporary summer employees have been hired to cover the increase demands of the summer traffic. Further, Authority officials stated they are current in all aspects of their Money Room operations.
INCOMPLETE DISASTER CONTINGENCY PLAN
The Authority has not fully implemented a computer disaster recovery plan. The Authority relies on its computer operations to perform accounting and public safety functions.
Progress has been made as part of the Y2K initiative in developing contingency plans for all critical functions to operate without use of a computer system. Many of these plans will be maintained and used to supplement the Disaster Recovery Plan. In addition, the Authority is continuing efforts to evaluate viable options and costs to support off site facilities, necessary equipment and resources to expedite recovery in the event of a catastrophic disaster.
An adequate plan should minimize the interruption of operations and loss of critical information in the event of a disaster. Without a detailed plan, it would be difficult for the Authority to insure that it can perform vital operations in the event of a disaster. (Finding 10, page 22) This finding has been repeated since 1987.
We recommended the Authority continue its efforts to implement an adequate disaster recovery plan. Once the Plan is completed, responsibilities to test and update the Plan on a periodic basis should be assigned to Authority personnel to insure that the Plan is effective. An on-going commitment to test and update the Plan will be essential to its success.
Authority officials responded that an offsite facility for total recovery is not viable due to costs. Given available resources they are continuing to make incremental advances towards achieving this goal. (For previous Agency responses, see Digest Footnote #1.)
During the current audit period, the Authority became aware of a cash shortage of approximately $182,000 that occurred from May 1999 to December 1999. An arrest has been made, and the Authority and the Illinois State Police are still investigating the matter.
The remaining findings are of lesser significance and are being given attention by the Authority. We will review the Authoritys progress toward implementation of our recommendations in our next audit.
Joseph P. Brownlee, Chief Internal Auditor, provided responses to our findings and recommendations.
Our auditors stated the Illinois State Toll Highway Authoritys financial statements as of December 31, 1999, and for the year then ended are fairly presented in all material respects.
WILLIAM G. HOLLAND, Auditor General
SPECIAL ASSISTANT AUDITORS
Pandolfi, Topolski, Weiss & Co., LTD. were our special assistant auditors for this engagement.
#1: INCOMPLETE DISASTER CONTINGENCY PLAN Previous Agency Responses
1998: "The Authority Information Technology personnel are in agreement and fully recognize the need for Disaster Recovery planning in developing and maintaining provable recovery capability. Our mission is to assure that in a catastrophic event that there are disaster recovery plans to process vital computer applications to maintain Authority business continuity. Our goals are to minimize impact on customers and patrons, minimize impact on employees, and maximize cash flow.
The Information Technology department will implement the Disaster Recovery Plan developed by an outside computer consulting firm dated December 31, 1997. Supplemental enterprise-wide contingency plans are currently being developed internally and are expected to be complete by October 31, 1999. Additionally, the Authority is currently in negotiation to relocate the existing A16 mainframe computer scheduled for replacement, to an off-site location is providing scaled down backup support of critical applications. An Authority owned off-site location has been identified with proper security, environmental conditions, power, and communications access. The Authority's Y2K compliance program has taken priority now and later this year, plans to review and test the Authority's disaster recovery plan will be implemented."
1997: "The Disaster Contingency Plan has been completed with the help of a consultant. A copy of the plan has been submitted to the Auditor Generals Office and to their representative, Clifton Gunderson L.L.C. for comments. Once we receive any comments on the plan, the Authority will begin testing of the plan."
1996: "The Authority agrees that the completion of the formalization of its disaster recovery plan is a priority goal within the MIS Department. The Authority has contracted with an outside contractor to assist it in the review and completion of this plan. Procedures for periodic review and testing of the plan will be determined once the plan itself has been formalized. The Authority anticipates it will meet the recommendations of the auditors during calendar year 1997. While the creation of a secure site is still under consideration, no formal plans for contracts will be awarded in relation to this prior to the completion of the formal written disaster contingency plan. The Authority presently has an agreement with Unisys Corporation to provide off-site emergency services. The Authority has tested this contingency plan by running a test of its payroll system."
1995: "As indicated in last years responses, the Authority recognizes and agrees with the finding that we should be able to perform vital operations in the event of an emergency. Since the original finding appeared in 1987, the Authority has taken measures to improve the Computer Center environment, through the installation of physical safeguards. The Authority is currently negotiating the terms of an agreement with the mainframe manufacturer for the use of their facility as an alternate site. Additionally, the Authority is migrating the Toll Collection and Revenue Accounting System to the same environment. This migration will consolidate all critical mainframe applications onto a single hardware vendor. Therefore, the Authority continues to work toward completing a plan."
1994: "As indicated in last years responses, the Authority recognizes and agrees with the finding that we should be able to perform vital operations in the event of an emergency. Since the original finding appeared in 1987, the Authority has taken measures to improve the Computer Center environment, through the installation of physical safeguards, such as smoke detection, fire detection, uninterruptible power supplies and halon extinguishing system. By spring of 1995, the Authority will establish a committee to develop a business recovery plan."
1992: "The Authority recognizes and agrees with the audit finding that we should be able to perform vital operations in the event of an emergency. However, the Authority no longer supports the recommendation on how the plan should be structured or the minimal requirements of an alternate site for processing data. It is now our belief that this determination can best be made upon completion of a two (2) phase analysis of the risk, cost, and impact of a business recovery plan which will actually support the business continuity of the Authority.
The Authority has studied our requirements for the development of a Computer Disaster Recovery Plan over the course of several years. It is our belief that a Computer Disaster Recovery Plan would not guarantee our ability to sustain business operations or financial obligations in the event of a disaster unless such a disaster was contained within the Computer Center room itself. Because of the safeguards built into the Computer Center, such as smoke detection, water detection, uninterruptible power supplies and halon extinguishing system, the risk in losing computer resources contained in the room is minimal. However, there is a broader issue regarding continuity of operations if our administrative headquarters and/or any outlying plaza or maintenance facility are rendered inoperable. This realization caused the Authority to re-evaluate the objectives of disaster contingency and to focus on the necessity for business continuity planning. In recognition of the dynamic scope contained in this type of approach, the Authority plans to perform this project in phases over the course of the next several years. We have solicited and are reviewing proposals from two (2) major accounting firms for services to conduct the first two (2) phases of this project: Vulnerability/Risk Assessment and Business Impact Analysis. The time estimated to complete these phases ranges from four (4) to eight (8) months. We plan to receive board approval to begin this project in the second quarter of calendar year 1994."
1991: "With our relocation to a new facility, the Authority has incorporated a number of physical safeguards against data loss, such as uninterruptible power sources; has current plans showing the layout of equipment and cabling requirements; and has utilized off-site storage facilities. We anticipate reviewing a comprehensive disaster recovery plan within the year. We will continue with efforts to implement and maintain an adequate disaster recovery plan."
1990: "With our relocation to a new facility, the Authority has incorporated a number of physical safeguards against data loss, such as uninterruptible power sources. The Authority also has current plans showing the layout of equipment and cabling requirements and utilized off site storage facilities. We anticipate reviewing a comprehensive disaster contingency plan within the year. We will continue with efforts to implement and maintain an adequate disaster contingency plan."
1988: "It must be pointed out that even though the Computer Aided Dispatch is considered part of the Authoritys data processing organization, the ability to service patrons and provide law enforcement is never jeopardized. Reciprocal agreements already exist throughout all Illinois State Police Districts. District 15 coverage would be distributed across Districts 1, 2, 3, 4 and 5, respectively according to geographical location of a tollway incident. We also utilize CB radios in our maintenance operations.
In addition, all computerized systems have offsite storage of program software and documentation. A copy of the Disaster Recovery Plan is also stored offsite and reviewed every six months and updated when necessary. A proposal from an outside firm to design a contingency plan has been obtained and an agreement will be entered into in 1989. The Authority will continue with all efforts to develop an adequate disaster contingency plan."
1987: "The statement that "a more detailed plan has not been developed because there is not sufficient interest by the Authority in having an overall contingency plan" is not true. The finding also neglected to point out that the Authority has a written agreement with one vendor (UNISYS) for resource availability in the event of a disaster to the Authoritys financial system. While "alternate site processing" may be the best theoretical solution to the development of a disaster contingency plan, it is the most expensive and complex method of providing such a plan and may not be the most practical method for the Authority. The Authority does realize the importance of a disaster contingency plan. However, the complexity of the alternatives, including the one recommended in the finding, is such that all possible alternatives, taking into account current environment and future changes, must be thoroughly reviewed and evaluated. The Authority will initiate the procedure it deems best for the Authority as soon as the most appropriate plan is identified."