REPORT DIGEST ILLINOIS CRIMINAL JUSTICE INFORMATION AUTHORITY FINANCIAL AND COMPLIANCE AUDIT (In accordance with the Single Audit Act and OMB Circular A-133) For the Two Years Ended: Summary of Findings: Total this audit 2 Release Date: State of Illinois WILLIAM G. HOLLAND To obtain a copy of the Report contact: (217) 782-6046 or TDD (217) 524-4646 This Report Digest is also available on |
SYNOPSIS
{Expenditures and Activity Measures are summarized on the reverse page.} |
ILLINOIS CRIMINAL JUSTICE INFORMATION AUTHORITY
FINANCIAL AND COMPLIANCE AUDIT
For The Two Years Ended June 30, 1999
EXPENDITURE STATISTICS | FY 1999 |
FY 1998 |
FY 1997 |
|
$47,053,626 |
$45,147,809 |
$36,180,501 |
OPERATIONS TOTAL | $4,967,278 |
$5,084,391 |
$5,185,641 |
% of Total Expenditures | 11% |
11% |
14% |
Personal Services | $1,842,993 |
$2,040,600 |
$2,194,336 |
% of Operations Expenditures | 37% |
40% |
42% |
Average No. of Employees(1) | 49 |
54 |
57 |
Other Payroll Costs (FICA, Retirement) | $409,230 |
$392,238 |
$372,473 |
% of Operations Expenditures | 8% |
8% |
7% |
Contractual Services | $537,038 |
$579,062 |
$627,768 |
% of Operations Expenditures | 11% |
11% |
12% |
All Other Operations Items | $2,178,017 |
$2,072,491 |
$1,991,064 |
% of Operations Expenditures | 44% |
41% |
39% |
GRANTS TOTAL | $42,086,348 |
$40,063,418 |
$30,994,860 |
% of Total Expenditures | 89% |
89% |
86% |
|
$6,324,608 |
$6,419,131 |
$6,389,398 |
SELECTED ACTIVITY MEASURES | FY 1999 |
FY 1998 |
FY 1997 |
|
|||
Users | 354 |
337 |
321 |
User fees expended | $1,561,900 |
$1,473,500 |
$1,510,300 |
|
|||
Users | N/A |
8 |
8 |
User fees expended | N/A |
$286,000 |
$316,800 |
AGENCY DIRECTOR(S) |
During Audit Period: Candice Kane Currently: Candice Kane |
(1)
Excludes contractual employees: 99 - 36; 98 - 41; 97 - 37.N/A - Beginning July 1, 1998, program transferred to State Police.
Failure to develop a formal comprehensive disaster contingency plan for its computer systems
|
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS DISASTER CONTINGENCY PLAN WEAKNESS The Authority has approximately $6,000,000 of computer equipment, which maintains four critical applications, but the Authority has not developed a formal comprehensive disaster contingency plan for timely continuance of service to police users, or to the users of the local area network at the agency. The Authority has not identified key components of a contingency plan, such as a recovery site and procurement of replacement equipment, and it has not defined personnel assignments in the event of a disaster. Furthermore, the Authority does not have an alternative power source to safeguard against data loss in the event of a power failure. This finding has been repeated since 1987. One of the Authoritys critical system applications is to provide local law enforcement officers the ability to retrieve information from their patrol cars relating to the current status of any drivers license or vehicle in the State of Illinois. The loss of computer services would make these services unavailable (Finding 2, paged 22-24) We recommended the Authority develop a comprehensive disaster contingency plan for both the midrange computers and the LAN and obtain an alternative power source to provide protection against power loss and to reduce the potential for loss of data. Also, the plan should provide for acceptable recovery time frames that consider public safety issues. This plan should be tested, frequently analyzed, and updated. Authority officials agreed with our recommendation and stated they will attempt to secure funding for a disaster recovery analysis to be performed and for obtaining an alternative power source. (For previous agency responses, see Digest Footnote 1.) OTHER FINDING The remaining finding is less significant and is being given attention by Authority management. We will review progress toward implementation of our recommendations in our next audit. Authority responses to the recommendations were provided by Candice Kane, Executive Director. AUDITORS OPINION Our auditors state that the financial statements of the Illinois Criminal Justice Information Authority as of June 30, 1999 and June 30, 1998, and for the years then ended are presented fairly in all material respects.
____________________________________ WILLIAM G. HOLLAND, Auditor General WGH:ROQ:ak SPECIAL ASSISTANT AUDITORS Our special assistant auditors for this audit were DeRaimo, Hillger, & Ripp. DIGEST FOOTNOTES #1 FAILURE TO DEVELOP A COMPREHENSIVE DISASTER CONTINGENCY PLAN - Previous Agency Responses 1997: "Accepted. The Authority agrees with the finding and fully recognizes the importance of developing and implementing a complete disaster recovery system, as well as obtaining an alternative power source. This finding has been included in every audit of the Authority since 1987, and funds have likewise been requested to address the issue in every fiscal year since then. However, such funding has not been approved. The Authority continues to strengthen its disaster planning and recovery efforts in every area that does not require the expenditure of additional new funds. As such, basic contingency plans, personnel assignments and a recovery strategy to be used in the event of a disaster have already been developed. However, provisions for such items as a backup site and an alternative power source cannot be accommodated without the appropriation of sufficient funds. An amount of $12.0 thousand was approved by the Administration in fiscal year 1997, specifically to cover the cost of a Disaster Recovery Analysis. In September 1996, the Authority hired a specialist company, "Environmental Systems Design Inc.," (ESD) to perform such an analysis. ESD's completed report detailed its investigation, examined the scope of the problem, documented specific implementation requirements and estimated that full implementation would cost over $700.0 thousand (in calendar 1996 dollars). Because of the large cost to fully implement this system, a decision was made to seek funding on a multi-year basis. The Authority, therefore, requested $60.0 thousand in its fiscal year 1998 expansion budget, in order to implement some of the study's recommendations that were specifically associated with health and safety issues. Funding was not approved for fiscal year 1998, and $60.0 thousand has once again been requested, in our fiscal year 1999 budget submission, to address this critical issue." 1995: "Accepted. This finding has been included in every audit of the Authority since 1987, and funds have likewise been requested to address the issue in every fiscal year since then. However, such funding has not been approved. The Authority agrees to strengthen its current disaster planning and recovery efforts in every area that does not require expenditure of additional new funds. Furthermore, the Authority will, to the best of its ability, develop contingency plans, personnel assignments and a recovery strategy to be used in the event of a disaster. However, provisions for such items as a backup site and alternative power source cannot be accommodated without the appropriation of sufficient funds to implement a comprehensive disaster plan. Given the inability to obtain funds for such a large undertaking, and in order to provide an updated assessment of the scope and cost of such a system, the Authority has included a modest request in their fiscal year 1997 budget submission, to cover the cost of hiring an environmental systems design company, who would investigate and document requirements for implementation of a disaster recovery system. This updated knowledge will enable the Authority to once again request sufficient funding (in todays dollars) to address this finding." 1993: "The Authority accepts the recommendation and has developed a written plan addressing this issue. However, without specific funding for installation of an uninterruptable power supply, the plan cannot be implemented or tested. Funds for implementation of a disaster recovery plan were requested in the Authority's FY95 budget and have been denied by the Administration. This represents the Authoritys eighth budget request for funds to implement a disaster recovery plan, all of which have been denied. During calendar year 1994, the Authority will fully investigate the viability of short-term rental of a generator. We will thus be able to make an informed decision as to whether, in the event of an emergency, resources can be dedicated to this albeit stop-gap measure." 1991: "Accepted. The Authority is presently developing a written disaster recovery plan. This plan will specify the critical systems, responsible individuals and a schedule of events to perform in the event of a partial or total system failure. The timetable for completion of this plan is November 1992. In addition, the Authority will investigate the costs for the recommendation of installing an uninterruptable power supply (UPS) and short-term rental of a generator, for use in the event of an emergency. Funds will continue to be requested, as they have for the past 7 years, in the Authority's FY94 budget submission to implement the written plan." 1989: "The Authority accepts the recommendation and acknowledges the need for a complete disaster recovery plan and system. Funding for a backup power supply has been requested and denied for the past five fiscal years. Funding for such a system was again requested in the FY92 budget submission. The Authority has obtained a disaster recovery planning kit, and the Associate Director, ITU, has received information from vendors on their currently available consulting assistance in developing a disaster recovery plan. Developing and testing such a plan would require additional funding. If funding is made available, the Authority will develop and test a disaster recovery plan." 1987: "The Authority is fully cognizant of the need for a disaster recovery plan (as required by law), and has requested funding for such a system during each of the previous three fiscal years. On each occasion, such funding has been denied. During FY89, preliminary planning will be carried out to examine the areas required in the Authoritys Disaster Recovery efforts. Various policies and procedures will be put into place, which do not require additional funding. Funding for an extensive survey will again be requested in FY90 for an experienced consultant who can understand the Authority's network and needs in this area. Such a consulting company could then design a Disaster Recovery plan for the Authoritys network of computer systems. If funded, items specified in the plan would be implemented and installed. Disaster Recovery items might include uninterruptable power supplies (UPS), setup of a remote "hot site" with additional equipment and telecommunications equipment to duplicate the Authoritys equipment. Copies of the Disaster Recovery plan, programs, and manuals will be stored off-site." |