REPORT DIGEST ILLINOIS CRIMINAL JUSTICE INFORMATION AUTHORITY COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2023 Release Date: June 13, 2024 FINDINGS THIS AUDIT: 18 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 1 -- 4 -- 5 Category 2: 6 -- 7 -- 13 Category 3: 0 -- 0 -- 0 TOTAL: 7 -- 11 -- 18 FINDINGS LAST AUDIT: 14 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (23-01) The Illinois Criminal Justice Information Authority (Authority) failed to conduct adequate site visit monitoring of its grantees in accordance with its Federal and State Grants Unit’s Policies and Procedures. • (23-02) The Authority failed to prepare and maintain adequate documentation supporting its administrative and fiscal operations. • (23-05) The Authority’s internal controls over its voucher processing function were not operating effectively during the examination period. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO CONDUCT ADEQUATE SITE VISIT MONITORING OF GRANTEES The Illinois Criminal Justice Information Authority (Authority) failed to conduct adequate site visit monitoring of its grantees in accordance with its Federal and State Grants Unit’s Policies and Procedures (FSGU P&P). Specifically, we noted the following deficiencies: • The Authority did not conduct site visits for 25 of the 104 programs (24%). • Of the 65 programs which had a site visit timely conducted by the Authority, we selected a sample of 10 grants to determine if the Authority performed the site visit as required by its FSGU P&P and noted site visit reports were completed 21 and 47 days late for two grants (20%). • The Authority did not perform site visits for 30 of 60 grants (50%) which required site visits be performed as a special condition or requirement of the grant agreement. (Finding 1, pages 11-13) This finding has been reported since 2017. We recommended the Authority conduct and document the site visits performed during a State fiscal year for grant programs administered by the Authority. Authority management agreed with the recommendation and stated the failure to conduct adequate site visits was largely attributed to grant staff workload. Authority management further stated during State fiscal year 24/25, the Authority plans to increase its headcount by an additional 50 staff members; approximately 20 of the new people will be deployed to federal and State grants unit. Authority management also stated these new people will lower existing staff workloads and expand their grant monitoring (and monitoring documentation) capabilities. GENERAL FAILURE TO PREPARE AND MAINTAIN DOCUMENTATION The Authority failed to prepare and maintain adequate documentation supporting its administrative and fiscal operations. We noted the following deficiencies when performing our compliance examination: • During testing of 10 grant files in which the Authority conducted a grantee site visit during the examination period, we noted the site visit reports for two (20%) grants were not approved by the program manager. Also, the site visit follow-up letters for two (20%) grants were not sent to the grantees. Upon our notification of the exception, the Grant Specialist sent the follow-up letters to the grantees 250 and 497 days late. • During testing of 60 grant agreements, we noted multiple exceptions in which required documents were not maintained within the grant masterfile. • During review of 42 Monthly Cash Report (SB05) reconciliations, the Authority was unable to locate three (7%) monthly reconciliations performed. • During review of 13 travel vouchers, we noted travel request forms for two (15%) vouchers were not completed by employees. Additionally, the supporting documentation could not be located for one (8%) travel voucher. As such, the purpose of travel, signature of traveler, and approval of voucher could not be determined and verified. • We conducted an analysis of the Authority’s receipts data for fiscal years 2022 and 2023 and noted the Authority did not document the date the payment was received for two of 573 (less than 1%) receipts. As such, we were unable to determine if the Authority deposited the receipts timely. • During review of 26 employees’ Employment Eligibility Verification (Form I-9) forms, we noted Section 1 of Form I-9 for one of seven (14%) new employees was not completed. In addition, Section 2 of Form I-9 for six (23%) employees was not completed by the Authority. • During review of the Authority’s fiscal years 2021 and 2022 Agency Workforce Reports (Reports), we noted the support provided by the Authority did not agree with both fiscal years’ Reports for multiple categories. • During testing of the Authority’s system and application changes, we noted three (100%) sampled changes did not have change management documentation, thus we were unable to determine if change control was working effectively. • During review of the Authority’s cybersecurity programs and practices, we noted the Authority had not maintained server room logs for the period from July 1, 2021 through July 31, 2022. • We tested three applications to determine if access was appropriate and noted for one application (33%), the Authority did not remove six of 26 (23%) employees’ access after their separation. The Authority was unable to provide the documentation to determine when the access was removed. (Finding 2, pages 14-16) This finding has been reported since 2017. We recommended Authority strengthen its control over records maintenance for each area in which a compliance requirement is present. Authority management agreed with the recommendation and stated it would pursue the adjustments to the policy, procedure, and training outlined in the various findings cited within the finding and train staff on the proper preparation and retention of documents to comply with the cited requirements. VOUCHER PROCESSING INTERNAL CONTROLS NOT OPERATING EFFECTIVELY The Authority’s internal controls over its voucher processing function were not operating effectively during the examination period. Due to our ability to rely upon the processing integrity of the Enterprise Resource Planning System (ERP) operated by the Department of Innovation and Technology (DoIT), we were able to limit our voucher testing at the Authority to determine whether certain key attributes such as 1) vendor information, 2) expenditure amount, 3) object(s) of expenditure, and 4) the later of the receipt date of the proper bill or the receipt date of the goods and/or services were properly entered by the Authority’s staff into the ERP. Our testing noted two of 140 (1%) attributes were not properly entered into the ERP. Even given the limitations noted above, we conducted an analysis of the Authority’s expenditures data for fiscal years 2022 and 2023 to determine compliance with the State Prompt Payment Act (Act) (30 ILCS 540) and the Code (74 Ill. Admin. Code 900.70). We noted the following noncompliance: • The Authority owed two vendors interest totaling $334 in fiscal years 2022 and 2023; however, the Authority had not approved these vouchers for payment to the vendors. • The Authority did not timely approve 133 of 7,158 (2%) vouchers processed during the examination period, totaling $1,898,904. We noted these late vouchers were approved between one and 171 days late. In addition, during our testing of 13 travel vouchers, we noted the following: • One (8%) out-of-State travel request totaling $1,498 was submitted four days late to the Governor’s Office of Management and Budget (GOMB). • One (8%) travel voucher totaling $1,498 was not approved by the Authority Head. (Finding 5, pages 25-27) We recommended the Authority design and maintain internal controls to provide assurance its data entry of key attributes into the ERP is complete and accurate. In addition, we recommended the Authority process proper bills within 30 days of receipt and approve vouchers for payment of interest due to vendors. Further, we recommended the Authority enhance controls to ensure travel expenditures comply with State laws and regulations. Authority management agreed with the recommendation and stated the Authority expects to be fully compliant with the payment and interest payment regulations after they are fully staffed, and a sufficient period of training has elapsed. Authority management further stated a memo to all Authority staff was to be issued reminding staff to complete the Travel Request Forms and obtain the proper approvals prior to travel. OTHER FINDINGS The remaining findings pertain to inadequate controls over monitoring grant agreement requirements, expenditures and obligations, I-9 forms, GAAP reporting, Agency Workforce Reporting, service providers, and information technology access controls; noncompliance with the Violent Crime Witness Protection Act, contracting agreements, and the Domestic Violence Fatality Review Act; non-appointment of members; receipts processing weakness; change control weaknesses; weaknesses in disaster contingency planning; and weaknesses in cybersecurity programs and practices. We will review the Authority’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Authority for the two years ended June 30, 2023, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2023-001 through 2023-004, and 2023-014. Except for the noncompliance described in these findings, the accountants stated the Authority complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Roth & Co., LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb