REPORT DIGEST ILLINOIS CRIMINAL JUSTICE INFORMATION AUTHORITY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: March 22, 2022 FINDINGS THIS AUDIT: 14 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 4 -- 4 Category 2: 6 -- 4 -- 10 Category 3: 0 -- 0 -- 0 TOTAL: 6 -- 8 – 14 FINDINGS LAST AUDIT: 10 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (21-01) The Illinois Criminal Justice Information Authority (Authority) failed to conduct adequate site visit monitoring of its grantees in accordance with its Federal and State Grants Unit’s Policies and Procedures. • (21-02) The Authority failed to prepare and maintain adequate documentation supporting its administrative and fiscal operations. • (21-14) The Authority had not implemented adequate internal controls related to its system and application access and control. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO CONDUCT ADEQUATE SITE VISIT MONITORING OF GRANTEES The Illinois Criminal Justice Information Authority (Authority) failed to conduct adequate site visit monitoring of its grantees in accordance with its Federal and State Grants Unit’s Policies and Procedures (FSGU P&P). Specifically, we noted the following deficiencies: • The Authority did not conduct site visits for 42 of the 78 programs (54%). • Of the 23 programs which had a site visit timely conducted by the Authority, we selected a sample of 10 grants to determine if the Authority performed the site visit as required by its FSGU P&P. For seven grants (70%), site visit reports were approved by the grant monitor 120 to 474 days from the date of site visit. • The Authority did not perform site visits for 17 of 59 grants (29%) which required site visits be performed as a special condition or requirement of the grant agreement. (Finding 1, pages 11-14). This finding has been repeated since 2017. We recommended the Authority take immediate action to adequately conduct and document the site visits it performs during a State fiscal year for the purposes of monitoring grantees of the grant programs administered by the Authority. Authority management agreed with the recommendation and stated the failure to conduct adequate site visits was mostly attributed to grant staff workload, staffing levels, and an ambitious site visit policy. Authority management also stated the Authority had revised its site visit policy to incorporate remote video-conferencing technology and to schedule visits based on need and risk. GENERAL FAILURE TO PREPARE AND MAINTAIN DOCUMENTATION The Authority failed to prepare and maintain adequate documentation supporting its administrative and fiscal operations. We noted the following deficiencies when performing our compliance examination: • For 15 of 19 (79%) employees tested, the Authority did not maintain authorized employee deduction forms for health insurance enrollment, union dues, deferred compensation, transit deduction, Flexible Spending Accounts, and other insurance deductions. • For four of 19 (21%) employees’ Employment Eligibility Verification (I-9) forms were not found in their personnel files. As such we could not determine whether the Authority examined the identity and employment authorizations of those employees. • For 15 of 54 (28%) monthly reconciliations tested for the Monthly Appropriations Status Report (SB01), six of 48 (13%) monthly reconciliations tested for the Monthly Cash Report (SB05), and one of 18 (6%) monthly reconciliations tested for the Monthly Revenue Status Report (SB04), we were unable to determine if the reconciliations were performed within 60 days of the applicable month end as the Authority did not document the date the reconciliations were performed. • For six of 48 (13%) monthly reconciliations tested for SB05, two of 18 (11%) monthly reconciliations tested for SB04, and three of six (50%) monthly reconciliations tested for the Obligation Activity Report (SC15), the Authority was unable to locate the reconciliations performed. • For three of 60 (5%) grant agreements selected for testing, we noted the grants’ progress reports received by the Authority were not dated. As a result, we were unable to determine the timeliness of the progress reports received and if the Authority withheld grant payments until the progress reports were received. (Finding 2, pages 15-17). This finding has been repeated since 2017. We recommended Authority take immediate action to strengthen its control over records maintenance for each area in which a compliance requirement is present. Authority management agreed with the recommendation and stated it would pursue the adjustments to the policy, procedure, and training outlined in the various findings cited within the finding and train staff on the retainment of the necessary documentation to show compliance with the cited requirements. INFORMATION TECHNOLOGY ACCESS WEAKNESSES The Authority had not implemented adequate internal controls related to its system and application access and control. The Authority maintains computer systems that contain confidential information derived from both criminal and violent incidents as part of their mission to improve the administration of the criminal justice system in the State through centralized information. During testing, we noted the following weaknesses: • We tested a sample of 60 users, noting the Authority was unable to provide documentation that access was properly approved for the 60 users. • The Authority had not developed access provisioning policies and procedures. (Finding 14, pages 46-47) We recommended the Authority establish formal procedures for requesting and authorizing access to its systems and data. Authority management agreed with the recommendation and stated the Authority did not have a permanent Information Technology (IT) Director and was working to fill that position. Authority management also stated the IT Director would work with the Department of Innovation and Technology and the Authority’s executive staff to create policies based upon best practices. OTHER FINDINGS The remaining findings pertain to inadequate controls over monitoring grant agreement requirements, expenditures and obligations, payroll file deductions, submission of public accountability reports, I-9 forms, and GAAP reporting; noncompliance with the Gang Crime Witness Protection Act of 2013, contracting agreements and ethics and harassment training requirements; non-appointment of members; and weaknesses in cybersecurity programs and practices. We will review the Authority’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Authority for the two years ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2021-001 through 2021-004. Except for the noncompliance described in these findings, the accountants stated the Authority complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Roth & Co., LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb