Volume 14, 2008 Annual
William G. Holland, Auditor General
Auditor General’s Message
Transparency and accountability. These two words capture the very essence of good government. State government needs to be transparent: nothing should be hidden and everything should appear as it is. State government also needs to be accountable: it exists to serve the people of Illinois, and, as such, has an obligation to provide complete and timely financial and programmatic information so that citizens can make informed decisions about their State government.
My Office plays an integral role in helping to ensure that State government is transparent and accountable to the people. The Illinois Constitution established my Office to audit and publicly report on the State’s finances, as well as the effectiveness and efficiency of agency operations.
Increasingly, my auditors have been experiencing delays in receiving requested information, failure to report suspected fraud, and limited access to agency personnel. These circumstances threaten our ability to effectively carry out our responsibilities and are unacceptable. The Advisory contains excerpts from a speech I gave earlier this year where I addressed trends in State government that I find both troubling and unacceptable.
I encourage you to carefully read my comments from my May 15th speech. These comments clearly describe my approach to forthcoming audits.
WILLIAM G. HOLLAND
CHALLENGES TO ACCOUNTABILITY AND TRANSPARENCY
The following are excerpts from a speech the Auditor General made on May 15, 2008 to the Springfield Chapter of the Institute of Internal Auditors.
Let me begin by congratulating all of you on the 30th anniversary of the Springfield Chapter. The Chapter has been a leader in promoting internal auditing not only in State government, but also in other governmental and private organizations.
I have had the privilege of speaking
to this Chapter on several occasions, including in 1998 and 2004. Tonight I am here to reflect on what I said back in 1998 and 2004. I will also discuss the current audit process. I’ll outline for you how I intend the audit process to proceed in the future.
In 1998, my speech focused on technological threats facing State government operations, specifically the Y2K issue and hackers accessing our vital information systems. These threats had the potential to seriously compromise State government operations, and as such, were clearly unacceptable. Recognizing and responding to these threats, internal auditors played a vital role in assessing the risks they posed and ensuring that the State took the necessary steps to significantly alleviate these threats.
In 2004, I spoke about changes in auditing standards, as well as delays encountered by our external audit process because agencies were late in preparing their financial statements. Furthermore, when the financial information was submitted, in many cases it was inaccurate and unsupported. This was unacceptable. We still encounter problems in this area, although some agencies have made some improvements. However, this continues to be problematic and the number of Yellow Book findings pertaining to significant deficiencies in financial reporting are numerous.
Now we turn to today. Once again, we are facing serious challenges. The success of our government relies on two fundamental principles: accountability and transparency.
Unfortunately, much of what I see occurring, when viewed from an accountability and transparency perspective, is unacceptable. From my view, your impact and influence have been eroded. Again, from my view, this is truly unfortunate.
For instance, over the past several years, internal auditors have been asked to provide non-audit support. Evidence of this diversion of resources is found in my Office’s latest compliance examination at CMS. The report contained a finding which concluded that the Illinois Office of Internal Audit did not complete audits of all major systems of internal accounting and administrative control as required by the Fiscal Control and Internal Auditing Act. For the two-year audit period ending June 30, 2006, the IOIA planned to conduct 196 audits but only completed 46 audits (23%) with an additional 24 audits (12%) in progress.
Another disturbing trend in recent years that I believe is directly related to the removal of internal auditors from the agencies is the increase in the number of findings in my Office’s financial and compliance audits. For audits with the period ending June 30, 2001, there were a total of 267 findings. By 2006, the number of findings more than doubled, to 608. I appreciate that there are many factors that drive the number of findings in my audits. However, I believe a primary reason, and very likely the main reason for the increase in audit findings, has been the removal of internal auditors from the agencies.
One of the primary responsibilities of internal auditors prior to the consolidation was to evaluate systems of controls and agency operations, identify problems, and take corrective action. With the removal of internal auditors from the agencies, this critical function has been diminished.
Finally, I’d like to briefly discuss some trends or agency behaviors that have been occurring in recent years that I will no longer accept.
• Routine requests for information are being submitted to “legal staff” for prior approval before it is provided to my auditors. I really don’t care as long as the review does not result in sanitizing the information requested or result in delays. Both are unacceptable.
• There has been a trend in recent years for agencies to request additional time to submit responses to recommendations contained in my audit reports. While in rare instances an extension past the 21 days allowed by regulation may be understandable, I will no longer be routinely granting extensions to agencies for their formal responses. These delays are unacceptable.
• The early retirement initiative took place 5 years ago. Back then the loss of knowledgeable, qualified staff was a valid cause for problems experienced in agency’s accounting and financial operations. Today, it is still being cited as a reason for some of the problems agencies are experiencing in providing timely information to auditors. After the passage of 5 years, agencies should have been able to reassign those responsibilities to other competent staff. Failure to have reassigned such responsibilities is unacceptable.
• Today we are, at times, experiencing inordinate delays in agency management’s preparation of financial statements and all related note disclosures. These delays are unacceptable.
• We have gone out of our way to inform agencies about their responsibility to make timely disclosure of suspected fraud. We still experience problems in this area. This is unacceptable. (As an aside, when we discover or learn about a fraud that was NOT disclosed to us in an appropriate manner, our professional skepticism is heightened.)
• We see a trend where agency management is not as attentive to the content of the management representation letters as they should be. It is true these letters contain standard boilerplate language. But the words have real meaning – and we take them very seriously. Glossing over the content is unacceptable.
• More than ever before, we now have agencies trying to restrict our unfettered access to agency personnel. Our goal is the same as yours: have the auditors in the office for as little time as possible. When we are denied access, once again our professional skepticism is raised. This causes delays. This denial of access or restricted access to agency employees is unacceptable.
• We are now faced with a new challenge to our audit access. Recently we were told by an agency that my auditors would have to work at the location of the shared services activities. Let me be clear: we will focus on those activities of the shared services initiative that are separate and apart from the responsibilities of the individual agency, but my auditors will NOT routinely or always be working from a satellite location to audit the principal agency. To do so would be unacceptable.
So what is my recourse to all these unacceptable activities? Well, first of all it begins here. Over the course of my 15 years as Auditor General I have sought to be fair. One of the keys to fairness is to make sure there are no surprises. I want each of you to understand my position.
As I look around the room, I am confident that the challenges we face, if left to those of us here, would be resolved in a very professional manner. In this room, there is nothing but professionals. We know how to disagree without being disagreeable. I know the value of the internal auditor who is allowed to be an internal auditor. You know the value of the external auditor who fairly reports. Together we are the cornerstone of the accountability and transparency I discussed in the beginning.
It is my sincere hope that when I address this distinguished group in another 5 or 10 years from now we can look back, as we now look back at my 1998 and 2004 speeches, and conclude that while the problems were real and the threats to undermine accountable State government were real, action was taken to strengthen the internal audit function within the State of Illinois, as well as increase the level of cooperation in dealing with my Office’s external audit process.
At the beginning of a financial audit, single audit, or compliance attestation engagement, a Letter of Understanding/Engage-ment Letter is sent to agency directors. The Letter contains important information which explains the scope and purposes of the upcoming engagement, as well as specific responsibilities management is expected to fulfill.
Management is responsible for establishing and maintaining effective internal control and for compliance with laws, regulations, contracts, agreements and other matters. The objectives of internal control are to provide management with reasonable, but not absolute, assurance that assets are safeguarded against loss from unauthorized use or disposition, and that transactions are executed in accordance with management’s authorizations and recorded properly to permit the preparation of financial statements in accordance with generally accepted accounting principles and SAMS requirements.
Management is responsible for making all financial records and related information available to the auditors. Management is responsible for providing auditors with such information required for the audit and is responsible for the accuracy and completeness of that information. Auditors may advise management about appropriate accounting principles and their application and may provide advice in the preparation of the financial statements, but the responsibility for the financial statements remains with management.
Management is responsible for the design and implementation of programs and controls to prevent and detect fraud, and for informing auditors about all known or suspected fraud, or illegal acts, or noncompliance with contracts or grant agreements affecting the Department involving (1) management, (2) employees who have significant roles in internal control, and (3) others where the fraud, illegal acts, or noncompliance could have a material effect on the financial statements and compliance assertions.
Management is also responsible for informing auditors of its knowledge of any allegations of fraud or suspected fraud, illegal acts, or noncompliance affecting the agency that were received in communications from employees, former employees, grantors, regulators, or others. Our office is aware that such matters may be the subject of inquiry by the Executive Office of Inspector General, State Police, Attorney General, or prosecutorial agency and, as such, management may have been advised to keep such matters confidential. Please note that management is still required to respond to the auditor’s inquiries about suspected fraud, illegal acts, or noncompliance in a forthright and truthful manner. If necessary, management may coordinate its response with the Executive Office of Inspector General, State Police, Attorney General, or prosecutorial agency.
Auditors will request written representations from your attorneys as part of the engagement, if necessary. Further, at the conclusion of the audit, auditors will also require certain written representations from management about the financial statements and related matters. Each agency’s full cooperation and timeliness is critical to the audit process. As discussed in this Advisory, incomplete or inaccurate responses and delays in responding will not be tolerated.
In last year’s edition of the Audit Advisory, we initiated an annual series that examined high-risk areas in State government operations. These are areas that expose the State to an unacceptable level of risk. The five high-risk areas on our 2007 list were: 1) Contracting Processes; 2) Subrecipient Monitoring; 3) Financial Reporting; 4) Safeguarding Confidential Information; and 5) Noncompliance with State Laws.
Audits completed in 2008 have continued to have findings in these areas. In addition, a sixth high-risk area – Shared Services management – has been added in 2008. The following sections summarize the five high-risk areas repeated from 2007, and examine in greater detail the Shared Services management risk area added in 2008.
1. CONTRACTING PROCESSES
The contracting process poses significant risks for State agencies and is susceptible to fraud and abuse. There are a myriad of ways the contracting process can be manipulated or abused. Consequently, an agency’s system of internal controls related to contracting needs to be strong, monitored, and enforced.
Contracting deficiencies have been routine findings in OAG audits. Examples of contracting deficiencies included: untimely execution of contracts; lack of documentation for the evaluation, selection, and contracting processes; use of evaluation criteria that were not stated in the RFP; failure to competitively procure contracts; allowing vendors to begin work without a formal written agreement in place; failure to publish the required notice of awards in the Procurement Bulletin; and inadequate agency review of billings.
2. SUBRECIPIENT MONITORING
State agencies’ failure to adequately monitor subrecipients has been a central finding in the State’s Single Audit for years. The FY 2006 Single Audit included 21 findings and the FY 2007 Single Audit had 26 findings related to agencies’ deficiencies in monitoring subrecipients. Agencies covered by the Single Audit received $16.7 billion in federal funding in FY 2007, of which $3.5 billion (or 21%) was passed through to grantees.
It is not sufficient for agencies to simply pass funding on to third parties. Rather, a system must be established to monitor how those funds are being spent and ensure these monies are being spent for the specified purpose. Subrecipient monitoring includes many aspects, such as reviewing and receiving grant reports, as well as some level of on-site reviews or inspections.
3. FINANCIAL REPORTING
Financial reporting errors have several important effects, including increased audit testing, delays in the completion of audits, and delays in the preparation of the Comptroller’s Comprehensive Annual Financial Report (CAFR). Problems with agencies’ financial reporting were directly responsible for the delay in the issuance of the State’s most recent CAFR, which was issued in June 2008. By contrast, in 2007 the CAFR was issued in February.
Deficiencies in financial reporting included late preparation of financial statements and other financial reporting forms (GAAP forms) and improper recording or misclassification of transactions, requiring significant revisions to financial statements.
4. SAFEGUARDING CONFIDENTIAL INFORMATION
The theft or loss of personal information is an increasing
problem in the State of Illinois. Audits have identified two areas of concern. The first deals with inadequate controls over the disposal of hard copy confidential information. The second area of concern is a failure to ensure adequate security over computer systems and resources.
A risk management approach can be used to assist in a State agency’s responsibility to protect confidential and personal information. An approach may include:
• Review of all IT systems to identify where confidential or personal information resides.
• Assessment of the need to obtain and retain this information. (For example, in many systems, social security numbers are no longer needed as a unique identifier and can be eliminated).
• Implementing security controls to protect information that was deemed necessary to meet missions and mandates. Security controls include limiting access to only those that require access to perform job duties and/or the use of encryption (translation of data into an unreadable format).
5. NONCOMPLIANCE WITH STATE LAWS
The primary responsibility of State agencies is to implement and administer programs and functions given to them by the General Assembly. Audits routinely find that agencies are not complying with these mandates. If agencies are not complying with a law because they believe it is outdated or duplicative, they should seek legislation to have the law revised.
6. SHARED SERVICES MANAGEMENT
Executive Order 2006-06, effective March 31, 2006, formally created Divisions of Shared Services at the Departments of Revenue and Corrections. The purpose of the Shared Services Center is to provide common administrative functions, such as fiscal and human resources services and support services to multiple State agencies. The Administrative and Regulatory Shared Services Center at Revenue was established to provide these services to three administrative and regulatory agencies: the Departments of Central Management Services, Financial and Professional Regulation, and Revenue. The Public Safety Shared Services Center at Corrections covers nine State agencies with public safety functions, including State Police, Corrections, and the State Fire Marshal.
The Executive Order noted that combining these core administrative functions would improve the State’s ability to effectively provide services to State agencies, promote cross-training, improve career development for State employees, improve interactivity of State operations, and eliminate duplicate functions within State agencies.
On March 31, 2008, Executive Order 2008-1 was issued which would have created three additional Shared Services Centers. However, both the House of Representatives and the Senate subsequently passed Resolutions disapproving Executive Order 2008-1. Consequently, the creation of the three additional Shared Services Centers was not approved by the General Assembly.
While there may be benefits to the Shared Services structure, there are also risks. These risks include the following:
• Lack of planning to effectively implement and coordinate with user agencies;
• Funds spent on Shared Services Centers which did not receive the approval of the General Assembly;
• Fiscal and human resources needs of user agencies not being adequately met by the Shared Services Centers; and
• User agencies being billed or providing funding for services they did not receive or without adequate support documenting the basis of the billings (as prior OAG audits found with the efficiency initiative billings agencies received from the Dept. of Central Management Services).
During the upcoming audit cycle we will be reviewing the implementation of the Shared Services structure.
Office of the Auditor General
Iles Park Plaza, 740 East Ash Street, Springfield, Illinois 62703-3154, or
Michael A. Bilandic Building, 160 N. LaSalle Street, Suite S-900, Chicago, Illinois 60601-3109