Volume 25, 2019 Annual Edition
Emerging and Potential Audit Issues
Frank J. Mautino, Auditor General
Auditor General’s Message
This has been a year of significant change in State government, and the year is not yet over. Many agencies have new administrators. Other agencies have undertaken new programs or made substantial changes to existing ones. As external auditors, we are keenly aware that such fundamental shifts in State government bring both opportunity and risk.
Our responsibilities as external auditors are heightened by this year of transition. One purpose of the external audit process is to provide a continuum of oversight that is not affected by changes in administration or processes. Our upcoming audits will focus on new and revised responsibilities within each agency of
Our audits may also give insight to new administrators about what might be improved in an agency’s operations, as well as what has worked well in the past and might be retained. Collectively, our published reports provide a vehicle through which agencies can learn from the experience of other agencies. In part, this annual Illinois Audit Advisory is intended to summarize problems found during the prior audit cycle that cross agency boundaries and to address challenges we all face.
Check It Out
Check out the Auditor General’s website for a wealth of useful information including:
· Financial and compliance examinations and performance audits dating back to the early 1990’s;
· OAG annual report;
· Past issues of the Audit Advisory;
· FCIAA filings;
· Emergency purchase filings;
· OAG procurement information; and
· Other audit related links.
Overview of the Types of Audits Performed by the Office of the Auditor General
With a new administration and new leadership in many State agencies, new employees may find themselves faced with their first audit by the Office of the Auditor General. Here is a quick overview of the different types of audits we do.
Financial audits and Compliance examinations are mandated by law. They disclose the obligation, expenditure, receipt, and use of public funds. They also provide agencies with specific recommendations to help ensure compliance with State and Federal statutes, rules and regulations. All State agencies receive a financial audit and/or compliance examination, or both, at least once every two years.
Performance audits are special audits conducted at the request of legislators to assist them in overseeing State government. Programs, functions, and activities are reviewed according to the direction of the audit resolution or law directing the audit. The General Assembly may then use the audit recommendations to develop legislation for the improvement of government.
Information Systems audits are performed on the State’s computer networks. They determine whether appropriate controls and recovery procedures exist to manage and protect the State’s financial and confidential information. These are generally performed in conjunction with compliance examinations. In addition, we annually perform a System and Organization Control (SOC) report over the IT general controls and application controls at the Department of Innovation & Technology which provides services for 101 user agencies.
The purpose of the Statewide Single Audit is to fulfill the State mandate in accepting federal funding. It includes all State agencies that are part of the primary government and expend federal awards.
Agreed-upon procedures engagements consist of performing specific procedures on subject matter and reporting findings without providing an opinion or a conclusion. An example would be procedures performed when there is a change in administration in one of the constitutional offices such as the Governor’s Office.
At the beginning of the audit an entrance conference will be held to discuss the conduct of the audit; an exit conference will be held at the audit’s conclusion to discuss any findings and recommendations. An agency’s written responses to the audit recommendations are included in the audit report.
Inadequate Internal Audit Function
The Fiscal Control and Internal Auditing Act (the Act) requires each designated State agency to maintain a full-time program of internal auditing. In 2003, by Executive Order (2003-10), then Governor Blagojevich transferred the internal auditors from the various State agencies and consolidated them into the Illinois Office of Internal Audit at the Department of Central Management Services (CMS). In 2009, the General Assembly unanimously rejected this consolidation of internal audit authority in CMS and directed that the internal auditors and their functions be returned to their respective designated State agencies.
Findings in Recent Audits
Recent audits have found that as many as seven designated State agencies had an inadequate internal audit function. These agencies were required to have a Chief Internal Auditor appointed by the chief executive officer of the agency and to maintain a full-time program of internal auditing. Instead, the agencies had entered into intergovernmental agreements with CMS to provide internal auditing services.
The establishment of the Department’s internal audit function by interagency agreement hinders the operational autonomy intended by the General Assembly for internal auditors. Department management cannot terminate an appointed chief internal auditor prior to the conclusion of their term without cause and a hearing before the Executive Ethics Commission, but management can terminate the interagency agreement with CMS at any time for any reason.
For designated State agencies, not appointing a chief internal auditor and not having a full-time internal audit program is a violation of the Fiscal Control and Internal Auditing Act. In a recent audit, we recommended the agency’s Director appoint a chief internal auditor and ensure a full-time program of internal auditing is in place. The agency responded that it would work with CMS to revise the intergovernmental agreement. Since the auditors did not believe this arrangement met the requirements of the Act, we requested a formal written opinion from the Attorney General’s Office.
Attorney General’s Opinion
In Opinion 19-001 dated August 9, 2019, the Attorney General confirmed our position by stating “…pursuant to the Fiscal Control and Internal Auditing Act, multiple designated State agencies may not appoint the same individual as their chief internal auditor through an intergovernmental agreement.” The opinion further stated that the Act unambiguously requires each chief executive officer of a designated State agency appoint a chief internal auditor and nothing in the Act authorizes the agency to contract around the Act’s requirements.
According to the Attorney General Opinion, the Act contemplates that each chief internal auditor will serve only one designated State agency and will do so on a full-time basis. A designated State agency may not enter into an intergovernmental agreement that shares internal audit services without violating the Act.
Importance of a Full-time Internal Audit Program
Failure to establish a full-time internal audit program weakens an agency’s ability to assess its overall internal control environment. The chief internal auditor develops a deep understanding of the Department’s functions and processes; oversees and performs audits of the Department’s major systems of internal accounting and administrative controls on a periodic basis; and oversees and reviews major new and modifications to information systems prior to implementation.
A strong internal audit function is an important part of the internal control system of a government agency. Internal auditors can be of great value to state and local governments in a variety of ways. In particular, they commonly assist management in monitoring the design and proper functioning of internal control policies and procedures. In this capacity, internal auditors themselves function as an additional level of control and so help to improve the government’s overall control environment. A formal internal audit function is particularly valuable for those activities involving a high degree of risk such as complex accounting systems and contracts with outside parties. Designated State agencies should appoint a Chief Internal Auditor and ensure a full-time program of internal auditing is in place and functioning.
“Designated State agencies” include the offices of the Secretary of State, the State Comptroller, the State Treasurer, and the Attorney General, the State Board of Education, the State colleges and universities, the Illinois Toll Highway Authority, the Illinois Housing Development Authority, the public retirement systems, the Illinois Student Assistance Commission, the Illinois Finance Authority, the Environmental Protection Agency, the Capital Development Board, the Department of Military Affairs, the State Fire Marshal, and each Department of State government created in Article 5, Section 5-15 of the Civil Administrative Code of Illinois. (30 ILCS 10/1003(a))
Departments listed in Section 5-15 of the Civil Administrative Code of Illinois include: Aging, Agriculture, Central Management Services, Children and Family Services, Commerce and Economic Opportunity, Corrections, Employment Security, Emergency Management Agency, Financial and Professional Regulation, Healthcare and Family Services, Human Rights, Human Services, Innovation and Technology, Insurance, Juvenile Justice, Labor, Lottery, Natural Resources, Public Health, Revenue, State Police, Transportation, and Veterans' Affairs. (20 ILCS 5/5-15)
Outsourcing IT Functions and the Need for Thorough Reviews
Many organizations, including state agencies, are using external service providers to process and store critical data. In Illinois, state agencies have increasingly entered into agreements and utilized service providers for information system functions. Since essential IT functions have been outsourced, we have been reviewing contracts and agency efforts to ensure the internal controls at service providers adequately protect data from unauthorized or accidental disclosure, modifications, or destruction. The responsibility to protect its data is not removed from an agency when it outsources IT functions to a service provider.
Several highly publicized breaches, including the exposure of personal information for over 100 million users in July 2019, indicated weaknesses in controls at a cloud service provider were the cause of the breach.
During our audits, we found that some agencies have not performed the necessary steps to ensure their data is protected from disclosure or destruction. As a result, we have been recommending that agencies identify all third party service providers and determine and document if a review of controls is required. If required, each agency should:
· Obtain Service Organization Control (SOC) reports (or perform independent reviews) of internal controls associated with outsourced systems at least annually.
· Monitor and document the operation of the Complementary User Entity Controls (CUECs) relevant to agency operations.
· Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself that the existence of the subservice organization would not impact its internal control environment.
· Document its review of the SOC reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the agency, and any compensating controls.
· Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included.
The Value of Agency Cooperation During the Audit Process
In the past, we have at times experienced untimely cooperation from agencies during the audit process. During the course of an audit, auditors make numerous information requests of agencies. Agency officials need to make sure they respond in a timely fashion and that the information they are providing to the auditors is complete and accurate. When agencies do not respond in a timely manner or provide information which is incomplete or inaccurate, it not only delays the audit, it can also raise the professional skepticism of the auditors.
The Illinois State Auditing Act requires agencies to cooperate promptly to audit requests. The Act states, “At the request of the Auditor General, each State agency shall, without delay, make available to the Auditor General or his or her designated representative any record or information requested…” (30 ILCS 5/3-12) If pervasive, a lack of cooperation can lead to an audit finding.
The following tips can assist agency staff in promptly responding and fulfilling audit requests:
· Establish and maintain a system to facilitate audit requests. Requests should be logged, tracked, and monitored to ensure timely response.
· Assign responsibilities as necessary to facilitate the requests and to ensure that requests are timely and accurately fulfilled.
gain an understanding of the exact information the auditors require and suggest
the most efficient way for the auditors to access
· When providing information, provide well-ordered, clear documents.
· Set a tone at the top of the agency emphasizing to agency staff the importance of prompt cooperation.
Regional Office of Education – Delay of Audit Finding
The Office of the Auditor General conducts annual financial audits of the regional superintendent of schools of each educational service region in the State. One issue that has been prevalent in many of the audits is the timeliness of the audits. In response, auditors began issuing delay of audit findings to the regional offices.
Illinois administrative rules require that financial reports be available no later than August 31 in order for the annual audits to be completed. (74 Ill. Adm. Code 420.320 (c) (2))
Of the 19 fiscal year 2018 audits that have been issued (as of July 31, 2019), 10 have included a delay of audit finding.
New Government Auditing Standards Effective Soon
The Generally Accepted Government Auditing Standards, also known as the Yellow Book, provides a framework for conducting high-quality audits with competence, integrity, objectivity, and independence.
The Yellow Book outlines the requirements for audit reports, professional qualifications for auditors, and audit organization quality control. Auditors of federal, state, and local government programs use these standards to perform their audits and produce their reports.
The U.S. Government Accountability Office has issued a revised version of the Yellow Book. The 2018 revision is effective as follows:
• For financial audits, attestation engagements, and reviews of financial statements for periods ending on or after June 30, 2020, and
• For performance audits beginning on or after July 1, 2019.
Copies of the Yellow Book are available at the GAO’s website: https://www.gao.gov
Office of the Auditor General
Iles Park Plaza, 740 East Ash Street
Springfield, Illinois 62703-3154
Michael A. Bilandic Building,
160 N. LaSalle Street, Suite S-900
Chicago, Illinois 60601-3109
Fraud Hotline: 1-855-217-1895