|
Misappropriation of cash receipts at the lane could go undetected
We noted 24 days when cash deposits did not include the cash receipts from all toll
plazas
Internal control procedures in the Money Room were inadequate
Damage fees are due the Authority
Receipts not deposited timely
Computer Disaster Recovery Plan did not insure accounting and public safety functions
could be performed |
INTRODUCTION
These reports represent the results of our financial and compliance audit for
the year ending December 31, 1999.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
FAILURE TO MAINTAIN DATA FOR CASH RECEIPT RECONCILIATION
The Authority failed to maintain data necessary for reconciliation of cash
receipts.
During our testing, we noted in 1 out of 5 (20%) days selected for testing, equipment
at toll plazas was reset nine times in order to make repairs. In all nine instances,
information regarding the amount of cash receipts and the number of vehicles passing
through the plaza lane was lost. This data is necessary to ensure that all cash receipts
have been reconciled and accounted for. There was an average of 782 resets per month for
the year ended December 31, 1999.
Failure to maintain adequate data results in the break down of the control function.
Consequently, the Authority is unable to determine whether actual cash receipts from the
plaza lane are appropriate based on vehicle volume. Therefore, any misappropriation of
cash receipts at the lane could go undetected. (Finding 1, page 11)
Authority officials stated they are in the process of updating toll collection
equipment which will provide battery backup to protect the equipment memory and help avoid
the loss of data.
INCOMPLETE RECORDING OF CASH COLLECTED AND LACK OF PROCEDURES FOR REPORTING CASH
BALANCING DIFFERENCES
The Authority did not always report the total daily cash collected for all plazas
and did not have adequate written procedures for the resolution of cash balancing
variances.
- We noted that the cash deposits did not include the cash receipts for all toll plazas in
one out of five days selected for testing. The cash collected on 7/17/99 for plazas 31 and
32 was recorded on 7/19/99. This resulted in variances between the actual cash reported
and the cash computed by the toll collection equipment on a daily basis. While
reconciliation between the days is possible, it becomes more difficult in this situation.
- Upon additional testing of the entire fiscal year, we noted an additional 23 days where
cash deposits did not include the cash receipts of all toll plazas. This resulted in daily
variances between the actual cash reported and the cash computed by toll collection
equipment.
- We noted that internal control procedures did exist in the Money Room; however, these
procedures were inadequate because they were not documented and not always followed,
according to a review conducted by the Authority's Internal Audit Department.
Due to the significant amount of cash flowing through the Money Room on a daily basis,
undocumented procedures, especially for the resolution of variances, and incomplete
recording of cash could result in misuse or loss of Authority funds. (Finding 2, pages
12-13)
We recommended the Authority: 1) document and strengthen existing procedures in the
Money Room, 2) ensure these procedures are routinely communicated to all Money Room
employees, and 3) include specific instructions regarding cash reporting and
reconciliation issues.
Authority officials stated they are actively reviewing and revising activities,
procedures, practices, and related internal controls pertaining to cash handling, where
necessary. The internal audit review recommended various improvements in operations, and
many have already been implemented. Also, an independent study from an outside consultant
and an ongoing investigation by the Illinois State Police have provided different
perspectives and recommendations that will be considered in the future implementation of
tightened controls.
INADEQUATE MONITORING OF CONTRACTOR'S PERFORMANCE LEVEL
The Authority did not have adequate procedures to monitor its contractor's
performance levels.
During our testing, we noted:
- While contracts for the repair of toll equipment include performance standards, the
Authority does not have adequate procedures to monitor the contractor's actual performance
level against those standards. The contract establishes precise time limits to repair toll
equipment, which vary by type of malfunction. If the contractor does not repair a
malfunction in the allotted time, the Authority has the ability to assess a damage fee.
During fiscal year 1999, the Authority paid $7,519,930 for maintenance of toll equipment,
but did not assess damage fees because of inadequate monitoring procedures.
- In fiscal year 1999, an Internal Audit review identified 4 revenue days where the
contractor's performance did not meet performance standards. Internal Audit concluded that
damage fees should have been assessed. The Authority and the contractor agree that damages
are due, however, the amount is currently being negotiated. (Finding 3, pages 14 - 15)
We recommended the Authority continue efforts to strengthen established procedures to
monitor the contractor's performance. Authority officials stated they and the contractor
have agreed to negotiate a settlement and apply the cost of damages as an offset to future
billings of the current lease and maintenance agreement. Further, a system is currently
being developed which will track damages. This system will be ready the third quarter of
2000.
DEPOSIT OF REVENUES COLLECTED
The Authority did not deposit moneys received in accordance with the time frame set
by the Toll Highway Act (605 ILCS 10/24) and the Trust Indenture Bond Agreement.
During our testing, we noted 4 of 24 (17%) receipts in August and September were not
deposited into the Treasury within 5 days of collection. Receipts of $1,320,259 were
deposited 10 days after collection and receipts of $1,271,442 were deposited 11 days after
collection.
The Toll Highway Act states that "except as otherwise provided in any bond
resolution, …all receipts and income derived from tolls, licenses, gifts, donations,
concessions, fees, rentals, and all other revenues from whatever source derived, shall,
within three days after receipt thereof, be paid to the Treasurer of the State of
Illinois". In addition, the Authority's Trust Indenture Bond Agreement states
"all revenues received by the Authority, other than investment income…shall be
delivered by the Authority to the Treasurer for deposit…not more than five (5)
business days after receipt". (Finding 4, page 16)
We recommended the Authority closely monitor established procedures to ensure the
deposit of receipts in the required timeframe. Authority officials agreed with our
recommendation, and stated ten new high-speed coin counting machines were purchased and
installed. In addition, additional temporary summer employees have been hired to cover the
increase demands of the summer traffic. Further, Authority officials stated they are
current in all aspects of their Money Room operations.
INCOMPLETE DISASTER CONTINGENCY PLAN
The Authority has not fully implemented a computer disaster recovery plan. The
Authority relies on its computer operations to perform accounting and public safety
functions.
Progress has been made as part of the Y2K initiative in developing contingency plans
for all critical functions to operate without use of a computer system. Many of these
plans will be maintained and used to supplement the Disaster Recovery Plan. In addition,
the Authority is continuing efforts to evaluate viable options and costs to support off
site facilities, necessary equipment and resources to expedite recovery in the event of a
catastrophic disaster.
An adequate plan should minimize the interruption of operations and loss of critical
information in the event of a disaster. Without a detailed plan, it would be difficult for
the Authority to insure that it can perform vital operations in the event of a disaster.
(Finding 10, page 22) This finding has been repeated since 1987.
We recommended the Authority continue its efforts to implement an adequate disaster
recovery plan. Once the Plan is completed, responsibilities to test and update the Plan on
a periodic basis should be assigned to Authority personnel to insure that the Plan is
effective. An on-going commitment to test and update the Plan will be essential to its
success.
Authority officials responded that an offsite facility for total recovery is not viable
due to costs. Given available resources they are continuing to make incremental advances
towards achieving this goal. (For previous Agency responses, see Digest Footnote #1.)
OTHER MATTERS
During the current audit period, the Authority became aware of a cash shortage of
approximately $182,000 that occurred from May 1999 to December 1999. An arrest has been
made, and the Authority and the Illinois State Police are still investigating the matter.
OTHER FINDINGS
The remaining findings are of lesser significance and are being given attention by
the Authority. We will review the Authority’s progress toward implementation of our
recommendations in our next audit.
Joseph P. Brownlee, Chief Internal Auditor, provided responses to our findings and
recommendations.
AUDITORS’ OPINION
Our auditors stated the Illinois State Toll Highway Authority’s financial
statements as of December 31, 1999, and for the year then ended are fairly presented in
all material respects.
____________________________________
WILLIAM G. HOLLAND, Auditor General
WGH:TEE:pp
SPECIAL ASSISTANT AUDITORS
Pandolfi, Topolski, Weiss & Co., LTD. were our special assistant auditors
for this engagement.
DIGEST FOOTNOTES
#1: INCOMPLETE DISASTER CONTINGENCY PLAN – Previous Agency Responses
1998: "The Authority Information Technology personnel are in agreement and
fully recognize the need for Disaster Recovery planning in developing and maintaining
provable recovery capability. Our mission is to assure that in a catastrophic event that
there are disaster recovery plans to process vital computer applications to maintain
Authority business continuity. Our goals are to minimize impact on customers and patrons,
minimize impact on employees, and maximize cash flow.
The Information Technology department will implement the Disaster Recovery Plan
developed by an outside computer consulting firm dated December 31, 1997. Supplemental
enterprise-wide contingency plans are currently being developed internally and are
expected to be complete by October 31, 1999. Additionally, the Authority is currently in
negotiation to relocate the existing A16 mainframe computer scheduled for replacement, to
an off-site location is providing scaled down backup support of critical applications. An
Authority owned off-site location has been identified with proper security, environmental
conditions, power, and communications access. The Authority's Y2K compliance program has
taken priority now and later this year, plans to review and test the Authority's disaster
recovery plan will be implemented."
1997: "The Disaster Contingency Plan has been completed with the help of a
consultant. A copy of the plan has been submitted to the Auditor General’s Office and
to their representative, Clifton Gunderson L.L.C. for comments. Once we receive any
comments on the plan, the Authority will begin testing of the plan."
1996: "The Authority agrees that the completion of the formalization of its
disaster recovery plan is a priority goal within the MIS Department. The Authority has
contracted with an outside contractor to assist it in the review and completion of this
plan. Procedures for periodic review and testing of the plan will be determined once the
plan itself has been formalized. The Authority anticipates it will meet the
recommendations of the auditors during calendar year 1997. While the creation of a secure
site is still under consideration, no formal plans for contracts will be awarded in
relation to this prior to the completion of the formal written disaster contingency plan.
The Authority presently has an agreement with Unisys Corporation to provide off-site
emergency services. The Authority has tested this contingency plan by running a test of
its payroll system."
1995: "As indicated in last year’s responses, the Authority recognizes
and agrees with the finding that we should be able to perform vital operations in the
event of an emergency. Since the original finding appeared in 1987, the Authority has
taken measures to improve the Computer Center environment, through the installation of
physical safeguards. The Authority is currently negotiating the terms of an agreement with
the mainframe manufacturer for the use of their facility as an alternate site.
Additionally, the Authority is migrating the Toll Collection and Revenue Accounting System
to the same environment. This migration will consolidate all critical mainframe
applications onto a single hardware vendor. Therefore, the Authority continues to work
toward completing a plan."
1994: "As indicated in last year’s responses, the Authority recognizes
and agrees with the finding that we should be able to perform vital operations in the
event of an emergency. Since the original finding appeared in 1987, the Authority has
taken measures to improve the Computer Center environment, through the installation of
physical safeguards, such as smoke detection, fire detection, uninterruptible power
supplies and halon extinguishing system. By spring of 1995, the Authority will establish a
committee to develop a business recovery plan."
1992: "The Authority recognizes and agrees with the audit finding that we
should be able to perform vital operations in the event of an emergency. However, the
Authority no longer supports the recommendation on how the plan should be structured or
the minimal requirements of an alternate site for processing data. It is now our belief
that this determination can best be made upon completion of a two (2) phase analysis of
the risk, cost, and impact of a business recovery plan which will actually support the
business continuity of the Authority.
The Authority has studied our requirements for the development of a Computer Disaster
Recovery Plan over the course of several years. It is our belief that a Computer Disaster
Recovery Plan would not guarantee our ability to sustain business operations or financial
obligations in the event of a disaster unless such a disaster was contained within the
Computer Center room itself. Because of the safeguards built into the Computer Center,
such as smoke detection, water detection, uninterruptible power supplies and halon
extinguishing system, the risk in losing computer resources contained in the room is
minimal. However, there is a broader issue regarding continuity of operations if our
administrative headquarters and/or any outlying plaza or maintenance facility are rendered
inoperable. This realization caused the Authority to re-evaluate the objectives of
disaster contingency and to focus on the necessity for business continuity planning. In
recognition of the dynamic scope contained in this type of approach, the Authority plans
to perform this project in phases over the course of the next several years. We have
solicited and are reviewing proposals from two (2) major accounting firms for services to
conduct the first two (2) phases of this project: Vulnerability/Risk Assessment and
Business Impact Analysis. The time estimated to complete these phases ranges from four (4)
to eight (8) months. We plan to receive board approval to begin this project in the second
quarter of calendar year 1994."
1991: "With our relocation to a new facility, the Authority has
incorporated a number of physical safeguards against data loss, such as uninterruptible
power sources; has current plans showing the layout of equipment and cabling requirements;
and has utilized off-site storage facilities. We anticipate reviewing a comprehensive
disaster recovery plan within the year. We will continue with efforts to implement and
maintain an adequate disaster recovery plan."
1990: "With our relocation to a new facility, the Authority has
incorporated a number of physical safeguards against data loss, such as uninterruptible
power sources. The Authority also has current plans showing the layout of equipment and
cabling requirements and utilized off site storage facilities. We anticipate reviewing a
comprehensive disaster contingency plan within the year. We will continue with efforts to
implement and maintain an adequate disaster contingency plan."
1988: "It must be pointed out that even though the Computer Aided Dispatch
is considered part of the Authority’s data processing organization, the ability to
service patrons and provide law enforcement is never jeopardized. Reciprocal agreements
already exist throughout all Illinois State Police Districts. District 15 coverage would
be distributed across Districts 1, 2, 3, 4 and 5, respectively according to geographical
location of a tollway incident. We also utilize CB radios in our maintenance operations.
In addition, all computerized systems have offsite storage of program software and
documentation. A copy of the Disaster Recovery Plan is also stored offsite and reviewed
every six months and updated when necessary. A proposal from an outside firm to design a
contingency plan has been obtained and an agreement will be entered into in 1989. The
Authority will continue with all efforts to develop an adequate disaster contingency
plan."
1987: "The statement that "a more detailed plan has not been developed
because there is not sufficient interest by the Authority in having an overall contingency
plan" is not true. The finding also neglected to point out that the Authority has a
written agreement with one vendor (UNISYS) for resource availability in the event of a
disaster to the Authority’s financial system. While "alternate site
processing" may be the best theoretical solution to the development of a disaster
contingency plan, it is the most expensive and complex method of providing such a plan and
may not be the most practical method for the Authority. The Authority does realize the
importance of a disaster contingency plan. However, the complexity of the alternatives,
including the one recommended in the finding, is such that all possible alternatives,
taking into account current environment and future changes, must be thoroughly reviewed
and evaluated. The Authority will initiate the procedure it deems best for the Authority
as soon as the most appropriate plan is identified."
|
