REPORT DIGEST

DEPARTMENT ON AGING

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2020

Release Date:  August 11, 2021

FINDINGS THIS AUDIT:  21

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 5 -- 5
Category 2:  8 -- 8 -- 16
Category 3:  0 -- 0 -- 0
TOTAL:  8 -- 13 -- 21

FINDINGS LAST AUDIT: 16

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (20-1) The Department lacked
adequate controls and monitoring over
eligibility determinations and
payments made to service provider
agencies that applied for and received
a special hourly rate under the
Community Care Program.
• (20-4) The Department did not
adequately monitor its grantees and
service providers.
• (20-7) The Department failed to
develop a program to identify the
special needs and problems of minority
senior citizens as required by the
Illinois Act on the Aging.
• (20-9) The Department had not
implemented adequate internal controls
related to cybersecurity programs and
practices.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INADEQUATE CONTROLS AND MONITORING
OVER ENHANCED RATE PAYMENTS MADE TO
COMMUNITY CARE PROGRAM SERVICE
PROVIDERS

The Department lacked adequate
controls and monitoring over
eligibility determinations and
payments made to service provider
agencies that applied for and received
a special hourly rate under the
Community Care Program.
For the two fiscal years under
examination, the Department paid all
providers a total of $86,458,388 for
enhanced rate payments. The auditors
tested 6 of 12 (50%) providers who
were paid an enhanced rate and noted
none of the providers tested submitted
a verification from an independent
certified public accountant of the
actual, documented expense for health
insurance during at least one of the
fiscal years tested. In addition, 6 of
6 (100%) providers tested did not
submit a Direct Service Worker Health
Insurance Certification during at
least one of the fiscal years tested.
(Finding 1, pages 10-11).  This
finding has been repeated since 2010.

We recommended the Department
strengthen controls to ensure initial
and ongoing reviews of eligibility and
annual reporting for the enhanced
reimbursement rate are conducted and
documented in a timely manner, and in
accordance with the Code. We also
recommended the Department obtain
reimbursement from providers if
determined to be ineligible.

The Department concurred with the
finding and stated it is currently
working to hire a manager to develop
proper procedures and trainings for
staff to create a cohesive area so
initial and ongoing reviews of
eligibility and annual reporting for
the enhanced reimbursement rate are
conducted and documented in a timely
manner, and in accordance with the
Illinois Administrative Code.

INADEQUATE MONITORING OF GRANTEES AND
SERVICE PROVIDERS

The Department did not adequately
monitor its grantees and service
providers. The auditors noted the
following exceptions:

• The Department had not received
annual audit reports for 2 of 20 (10%)
Fiscal Year 2019 grantees/service
providers tested. The 2 grantees/
service providers received $15,278
from the Department for the individual
programs tested and $20,094,837 in
total payments (inclusive of all
programs) for the fiscal year tested.

• Three of 25 (12%) home care aide
providers tested had not submitted an
audit to the Department since 2016.

• Of the 22 home care aide providers
which did submit an audit, 19 (86%)
did not include any evidence of
assurance the provider’s procedures
were in compliance with the
Department’s financial reporting
guidelines requiring an administrative
and employee wage and benefits cost
split. (Finding 4, pages 18-19)  This
finding has been repeated since 2016.

We recommended the Department
designate sufficient staff to monitor
grantees/service provider activities
by identifying, following-up on and
enforcing submission of delinquent
audit reports in order to determine
whether the funds were utilized in
accordance with the purpose of the
program.

The Department concurred with the
finding and stated it is currently
working to hire a manager to develop
proper procedures and trainings for
staff to ensure standardized
monitoring of audit requirements to
comply with the financial components
of agreements and contracts. The
Department also stated internal
communication will be improved and
will be inclusive of program managers
to act when necessary for providers to
become compliant.

FAILURE TO DEVELOP A PROGRAM TO
IDENTIFY THE SPECIAL NEEDS AND
PROBLEMS OF MINORITY SENIOR CITIZENS

The Department failed to develop a
program to identify the special needs
and problems of minority senior
citizens as required by the Illinois
Act on the Aging (Act)

The Department did not develop a
prescribed program to identify the
special needs and problems specific to
minority senior citizens as opposed to
all senior citizens. In addition, the
Department had not promulgated any
administrative rules to establish the
responsibilities of the Department
related to a separate program
targeting minority senior citizens,
and had not coordinated services
specific to targeted minority senior
citizens with the other named
departments pursuant to the Act.

Annual reports with demographic
information for the Department’s
existing programs for all senior
citizens provided almost no
information on programs and services
specific to minorities as provided
under Section 4.06 of the Act. The
auditors also noted these annual
reports were compiled and submitted 15
months, instead of 3 months, following
completion of the State’s fiscal year.

Department management stated they
believe existing programs and outreach
efforts satisfy the intent of the Act.
(Finding 7, pages 24-26)

We recommended the Department comply
with the Act or seek a statutory
revision.

The Department partially concurred
with the finding and stated it
provides services to minority senior
citizens through its inclusive
approach to programming. The
Department further stated it is
presently working to evaluate its
outreach to minority populations to
determine a more effective means to
target its outreach efforts to
minority populations under-represented
in its current programs and to plan
for the projected changes in Illinois’
aging demographics. The Department
also noted that although it does not
have a distinct program targeting
minority seniors, the Department’s
inclusive approach to the provision of
supports and services is evidenced
through its programs.

In an Accountant’s Comment, we stated
if the Department believes a program,
services, evaluation, administrative
rules, and reporting specific to
minority senior citizens pursuant to
Section 4.06 are not necessary, or if
the Department believes existing
programs, services, and reporting are
sufficient to satisfy the intent of
the Act, the Department should seek a
legislative remedy to either eliminate
or amend the specific requirements of
the Act.

WEAKNESSES IN CYBERSECURITY PROGRAMS
AND PRACTICES

The Department had not implemented
adequate internal controls related to
cybersecurity programs and practices.
We noted the Department:

• Had not developed a formal,
comprehensive, adequate, and
communicated security program
(policies, procedures, and processes)
to manage and monitor the regulatory,
legal, environmental and operational
requirements.
• Had not established and documented
cybersecurity roles and
responsibilities.
• Had not classified its data to
identify and ensure adequate
protection of information (i.e.
confidential or personal information)
most susceptible to attack.
• Had not evaluated and implemented
appropriate controls to reduce the
risk of attack.
• Had not ensured all the Department’s
employees completed cybersecurity
training for calendar year 2019 in
accordance with the Data Security on
State Computers Act.  (Finding 9,
pages 28-29)

We recommended the Department:

• Establish and communicate the
Department’s security program (formal
and comprehensive policies,
procedures, and processes) to manage
and monitor the regulatory, legal,
environmental and operational
requirements.
• Establish and document cybersecurity
roles and responsibilities.
• Classify its data to identify and
ensure adequate protection of
information.
• Evaluate identified risks and
implement appropriate controls to
reduce risk.
• Monitor and follow up on employees
who have not completed cybersecurity
training as required by the Act in
order to enforce the training
requirement.

The Department concurred with the
finding and stated it has complied
with all needed actions identified by
the National Institute of Standards
and Technology, in the Department’s
Cybersecurity Plan, which was
completed 05/26/2021, with links to
appropriate in force Department of
Innovation and Technology Policies and
Plans.

OTHER FINDINGS

The remaining findings pertain to
fiscal and administrative
responsibilities, statutory mandates,
and information technology controls.
We will review the Agency’s progress
towards the implementation of our
recommendations in our next compliance
examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Department for the
two years ended June 30, 2020, as
required by the Illinois State
Auditing Act.  The accountants
qualified their report on State
compliance for Findings 2020-001
through 2020-005.  Except for the
noncompliance described in these
findings, the accountants stated the
Department complied, in all material
respects, with the requirements
described in the report.

This compliance examination was
conducted by Borschnack, Pelletier and
Co.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:lkw