For the Year Ended: June 30, 2009


Release Date: July 8, 2009


State of Illinois Office of the Auditor General



To obtain a copy of the Report contact:

Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703

(217) 782-6046 or TTY (888) 261-2887


This Report Digest and Full Report are also available on the worldwide web at:






      The Department of Central Management Services’ (Department) Bureau of Communication and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services (20 ILCS 405/405-10; 20 ILCS 405/405-20; 20 ILCS 405/405-250; 20 ILCS 405/405-255; 20 ILCS 405/405-260; 20 ILCS 405/405-270 and 20 ILCS 405/405-410). To fulfill its responsibilities, the Department operates the Central Computer Facility (CCF), the Communications Center, and branch facilities.  Through its facilities, the Department provides data processing services to approximately 96 user agencies.


       The Department is mandated to manage or delegate the management of the procurement, retention, installation, maintenance, and operation of all electronic data processing equipment used by State agencies to achieve maximum economy consistent with development of adequate and timely information in a form suitable for management analysis, in a manner that provides for adequate security protection and back-up facilities for that equipment.


       The Department functions as a service organization providing computing and telecommunication resources for State agencies’ use.  The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.


       We reviewed data processing general controls at the Department primarily during the period from January 5, 2009 to May 26, 2009.  We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary to evaluate the controls.


       We also reviewed application controls for systems maintained by the Department for State agencies’ use.  The systems reviewed were the Accounting Information, Central Payroll, Central Inventory, and Central Time and Attendance Systems.






STATISTICS      2009



    4 Units Configured as 11 Production Systems and 6 Test Systems    

    1 Unit Configured as 5 Systems for Business Continuity



    Impact Printing – 7.2 Million Lines per Month

    Laser Printing – 14.5 Million Pages per Month


State Agency Users:  96


Bureau Employees:                          

    2006 — 777

    2007 — 748

    2008 — 708

    2009 — 679


Historical Growth Trend (In the month of April for each year listed)

    2006 — 3,217 — MIPS (Million Instructions per Second)

    2007 — 3,962 — MIPS

    2008 — 4,018 — MIPS

    2009 — 4,035 — MIPS


Information provided by the Department – Unaudited





  During Audit Period:  Acting Director:  Maureen O’Donnell (7/1/2008 to 8/24/2008) 

  Currently:  Director:  James Sledge (8/25/2008 to present)


  During Audit Period and Current Deputy Director/Bureau Manager:  Doug Kasamis  






We identified one significant deficiency for which we could not obtain reasonable assurance over the controls.


Information Technology Billings


The Department billed user agencies for various services, based on utilizations and rates developed by the Department.  However, based on inquiries and review of billing data, the Department had not implemented an adequate process/methodology to ensure the appropriateness of billings to agencies.

Billing invoices were the foundation for user agencies to make payments to the Department, including payments from the 11 agencies included in the consolidation of various functions of State government into the Department. 


To ensure the accuracy of the billings, the Department should:

  Develop a process to ensure billings are appropriate and accurately reflect services rendered. 

  Develop a formal methodology to clearly document the allocations of rates and charges to user agencies.  (See page 6 for additional information)


The Department concurs with the Auditor’s recommendations.  We are working to improve our billing processes and the billing data we make available for rates that were introduced in the last two years as a result of the IT consolidations.  We are also working on a comprehensive methodology document for all of our rates. 


Although not covered under audit standards as a deficiency, the deficiency outlined below may impact the Department’s ability to process information in the future.


Disaster Contingency Planning


Although the Department had developed some basic strategies to address the disaster contingency needs of the State’s Central Computer Facility, the plans and operational provisions need to be enhanced to provide assurance that all of the State’s critical applications and network operations can be recovered within required timeframes.


Although a Recovery Methodology and Recovery Activation Plan existed, they had not been updated to reflect the current environment and referenced documentation which had not been fully developed. 


A recovery test was performed in September 2008; however, all Category One applications were not included in the test and the test and supporting documentation did not meet the requirements outlined in the Recovery Activation Plan. 


The State is placing great reliance on the Department’s ability to provide data processing and network services in the event of a disaster.  As such, comprehensive and thoroughly tested disaster contingency plans are an essential component of recovery efforts. 


The Department should ensure the necessary components (plans, equipment, and facilities) are available to provide for the continuation of critical computer operations in the event of a disaster.  In addition, the Department should conduct and appropriately document comprehensive tests of the plans on an annual basis.  (See pages 6-7 for additional information)


The Department partially concurs with the recommendations and is confident that the deficiencies found in Recovery Services do not impact the Departments capacity to recover the critical environment and applications of the State.  This is evident in the results of the latest comprehensive exercise – environment and applications were recovered in 48 hours, with no major issues.  Nevertheless, the Department will continue its current efforts to update Recovery Services documentation, enhance and improve Recovery exercises, and communicate Recovery requirements to supported Agencies.




With the exception of the one significant deficiency described above, procedures were generally sufficient to provide reasonable, but not absolute, assurance that relevant general and application control objectives were achieved. 



WILLIAM G. HOLLAND, Auditor General