For the Year Ended:

June 30, 2006



Release Date:

July 12, 2006




State of Illinois

Office of the Auditor General






To obtain a copy of the

Report contact:

Office of the Auditor General

Iles Park Plaza

740 E. Ash Street

Springfield, IL 62703

(217) 782-6046 or TTY (888) 261-2887



This Report Digest and Full Report are also available on

the worldwide web at






      The Department of Central Management Services’ (Department) Bureau of Communication and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services (20 ILCS 405/405-10; 20 ILCS 405/405-20; 20 ILCS 405/405-250; 20 ILCS 405/405-255; 20 ILCS 405/405-260; 20 ILCS 405/405-270 and 20 ILCS 405/405-410). To fulfill its responsibilities, the Department operates the Central Computer Facility (CCF), the Communications Center, and branch facilities.  Through its facilities, the Department provides data processing services to approximately 98 user entities.


      The Department is mandated to manage or delegate the management of the procurement, retention, installation, maintenance, and operation of all electronic data processing equipment used by State agencies to achieve maximum economy consistent with development of adequate and timely information in a form suitable for management analysis, in a manner that provides for adequate security protection and back-up facilities for that equipment.


      The CCF functions as a service organization providing computing and telecommunication resources for State agencies’ use.  The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.


      We reviewed data processing general controls at the Department primarily during the period from January 3, 2006 to May 26, 2006.  We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary to evaluate the controls.


      We also reviewed application controls for systems maintained by the Department for State agencies’ use.  The systems reviewed were the Accounting Information, Central Payroll, Central Inventory, and Central Time and Attendance Systems.

















    3 Units Configured as 10 Production Systems

        and 4 Test Systems    

    1 Unit Configured for Disaster Recovery







    Impact Printing – 3.79 Million Lines per Month

    Laser Printing – 16 Million Pages per Month


  State Agency Users



  Bureau Employees 



    2003  --  307

    2004  --  303

    2005  --  775*

    2006  --  777

    * Increase due to IT consolidation into the Department

    per Public Act 93-25 


  Historical Growth Trend**



2003  --

2004  -- 

2005  --2006  -- 









--  MIPS

--  MIPS

--  MIPS

--  MIPS


--  Million Instructions Per Second


     **  In the month of April for each year listed



                                        Information provided by the Department - Unaudited






  During Audit Period:  Director:  Paul Campbell

  Deputy Director/Bureau Manager:  Jay Carlson  (7/1/2005 to 11/7/2005)


  Currently:  Director:  Paul Campbell

  Deputy Director/Bureau Manager:  Tony Daniels (11/8/2005 to present)









Risk of unauthorized and not suitably tested changes to systems



















Security framework not sufficiently developed or implemented






























State lacks preparedness






We identified two reportable conditions for which we could not obtain reasonable assurance over the controls.


Change Management Process


The Department did not follow the approved change management process it implemented in 2004, has not updated its change management policies and procedures, and has not developed a mechanism to ensure all changes follow the approved process.


In addition, the approved change management process has not been implemented across all platforms.  As a result, the current change management process lacks consistency and does not ensure all changes are sufficiently controlled. 


The lack of compliance with the approved change management process leaves the Department exposed to the risk of unauthorized and not suitably tested changes to systems.  The Department should update policies and procedures to govern the approved change management process and ensure compliance.  (page 6)


The Department concurred with our recommendation. Department officials stated the Bureau is in the process of implementing a formal change management framework.


Security Framework


The Department has the primary responsibility for providing IT services to State Government.  Thus, it is imperative the Department implement a framework to promote and apply prudent, comprehensive, and effective security practices.  The expanding use of information technology, increased sharing of sensitive information, and emerging IT risks make it imperative that security be appropriately addressed.


The security framework has not been sufficiently developed or implemented to ensure security is adequately addressed from a Statewide or Departmental perspective. 


The Department had not updated the various security-related documents since at least February 2003.  As a result, the documents do not reflect the current technological environment, and have not been updated to address current security concerns. 


The Department should thoroughly review and update security policies to address the current technological environment, consolidation issues, and present-day risks. In addition, the Department should formally approve and implement a comprehensive security administration framework, and ensure sufficient resources are allocated to support the framework. (pages 6-7)


The Department concurred with our recommendation.  Department officials stated a Policy Review Board will establish updated enterprise policies and procedures that address the legacy and consolidated environments. 


Although not covered under audit standards as a reportable condition, the deficiency outlined below may impact the Department’s ability to process in the future.


Disaster Contingency Planning


Although the Department has developed some basic strategies to address the disaster contingency needs of the State’s Central Computer Facility, the plans and operational provisions need to be enhanced to provide assurance that all of the State’s critical applications and network operations can be recovered within required timeframes.  The plans are outdated, do not adequately address regional recovery facilities, and have not been adequately tested to determine if the plans would effectively guide recovery efforts in the event of a disaster.


The State is placing great reliance on the Department’s ability to provide data processing and network services in the event of a disaster.  As such, comprehensive and thoroughly tested disaster contingency plans are an essential component of recovery efforts. 


The Department should ensure the necessary components (plans, equipment, and facilities) are available to provide for continuation of critical computer operations in the event of a disaster.  In addition, the Department should obtain a suitable regional alternate location for recovery services, and conduct comprehensive tests of the plans on an annual basis.  (pages 7-8)


The Department concurred with our recommendation. Department officials stated a comprehensive exercise of all Category One applications is scheduled for July 2006.





With the exception of the two reportable conditions described above, procedures were generally sufficient to provide reasonable, but not absolute, assurance that relevant general and application control objectives were achieved. 







                                  WILLIAM G. HOLLAND, Auditor General