REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2016 Release Date: February 23, 2017 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 1 -- 1 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 2 -- 2 FINDINGS LAST AUDIT: 2 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This report covers our financial audit of the Department of Central Management Services for the year ended June 30, 2016. A State compliance examination covering the two years ended June 30, 2017 will be performed next year. SYNOPSIS • (16-1) The Department failed to report accurate account balances for year-end financial reporting to the Office of the State Comptroller. • (16-2) The Department had not implemented adequate security and controls over the midrange environment. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS WEAKNESSES IN INTERNAL CONTROL OVER FINANCIAL REPORTING The Department’s year-end financial reporting in accordance with generally accepted accounting principles (GAAP) to the Illinois Office of the State Comptroller contained significant errors in the determination of certain year-end account balances. During the audit of the June 30, 2016 financial statements, we noted the following errors for which the Department revised their financial statements: • The Department failed to eliminate the interfund activity related to the allocation of the net loss in the Health Insurance Reserve Fund (0907) of $1.890 billion. This error resulted in the overstatement of combined revenues and expenses in the Department-wide financial statements. • The Department improperly allocated expenses to the various functions of the primary government related to the recognition of the net other post- employment benefit obligation in the Department-wide financial statements. The errors resulted in an overstatement of fiscal year 2016 Education expenses ($1.780 billion) and understatements of General government ($291.874 million), Employment and economic development ($60.050 million), Health and social services ($625.682 million), Transportation ($51.497 million), Public protection and justice ($619.796 million) and Environment and business regulation ($131.271 million). • The Department misclassified $38.801 million of cash equivalents as investments in the State Employee’s Deferred Compensation Fund (0775). • The Department understated accrued liabilities in the Health Insurance Reserve Fund (0907) by $27.019 million due to the exclusion of certain premiums liabilities. This misstatement also resulted in an understatement of the amounts due to Fund 0907 from the General Revenue Fund (0001) and Road Fund (0011) of $25.630 million and $1.389 million, respectively. • In the prior fiscal year, the Department overstated both interfund receivables and interfund payables by $24.796 million. The Department restated its financial statements as of July 1, 2015 to correct for these errors. • The Department failed to properly account for the reversing effects of a prior year audit adjustment in the Health Insurance Reserve Fund (0907). This error resulted in the understatement of both revenues and expenses by $16.964 million. • The Department improperly reported current year depreciation expense of $15.634 million related to permanently idled real property transferred to the Department as surplus property in fiscal year 2014. The Department restated its financial statements as of July 1, 2015 to correct for these errors. • The Department failed to capitalize Enterprise Resource Planning (ERP) system development costs totaling $12.816 million. • The Department overstated accounts payable in the Workers’ Compensation Revolving Fund (0332) by $9.020 million due to the improper addition of vouchers in transit to the actuarially determined liability. •The Department understated accounts receivable in the Community College Health Insurance Security Fund (0577) by $370 thousand due to failure to record employer and member SURS contributions receivable. (Finding 1, pages 66-69). We recommended the Department implement procedures and cross-training measures to ensure required financial information is prepared in a timely, accurate and complete manner. This should include allocating sufficient staff resources and the implementation of formal procedures to ensure adequate and reliable financial information is prepared and submitted to the Office of the State Comptroller. These procedures should address all elements of the Department’s financial reporting process including, but not limited to, accruals for liabilities and receivables, maintenance of capital asset and inventory records, supervisory review of supporting spreadsheets for data accumulation, and the preparation of management estimates. The Department agreed with the finding and stated they experienced major transitions during the financial reporting period including changes in personnel, the shared services de-consolidation, and the creation of the Illinois Department of Innovation and Technology as its own agency. Additionally, the Department continues to work through issues created by the budget impasse. The Department will continue to work toward more comprehensive cross-training among staff and will continue to work to improve communications from Bureau staff to Financial Reporting staff. Lastly, the Department will continue to update its financial reporting procedures to help ensure accurate and reliable financial information is prepared and submitted to the Office of the Comptroller. INADEQUATE SECURITY AND CONTROL OVER THE MIDRANGE ENVIRONMENT The Department had not implemented adequate security and controls over the midrange environment. Since fiscal year 2007, the auditors had noted the Department had not implemented adequate security and controls over the midrange environment. Again in fiscal year 2016. The auditors noted the Department had not remediated the security and control issues. Specifically, the following weaknesses were noted: • Accounts with powerful administrator accounts which did not require passwords, • Servers were running unsupported operating systems or service pack versions, • Servers without anti-virus software, • Servers were not properly backed up, and • Accounts with deficient password length, change interval, and content requirements. (Finding 2, pages 70-71) This finding was first reported in 2007. We recommended the Department should ensure complete, accurate and detailed records are available to substantiate its midrange environment. The auditors specifically recommended the Department: (1) develop and implement minimum security standards for the midrange environment; (2) ensure all administrative accounts meet password and security standards; (3) standardize password length and content requirements and ensure all user accounts require a password; (4) update servers to current vendor recommended patch or service pack levels; (5) ensure all servers are running antivirus software; and (6) ensure all servers are routinely backed up. The Department agreed with the finding and stated they will develop and implement minimum security standards to ensure the midrange environment is adequately secured. The Department will ensure administrative accounts meet password credential standards and implement standardized password length and composition requirements where operationally feasible. The Department will continue efforts to keep servers current at vendor recommended patch or service pack levels, ensure servers are running antivirus software, and routinely backup servers. (For the previous Department response, see Digest Footnote #1) AUDITOR’S OPINION Our auditors stated the financial statements of the Department of Central Management Services as of June 30, 2016, and for the year then ended are fairly presented in all material respects. FRANK J. MAUTINO Auditor General FJM:skm SPECIAL ASSISTANT AUDITORS Our Special Assistant Auditors for this audit were Sikich, LLP. DIGEST FOOTNOTES #1 – Inadequate Security and Control over the Midrange Environment 2015: The Department concurs with the recommendation. The Department has implemented numerous policies, standards, tools and procedures to help address these issues. Additionally policy and security standardization will be accomplished in several ways: (1) as a part of the creation of the Illinois Department of Innovation and Technology, all agencies will be required to conform to state-wide policies and standards; (2) several aging applications that require special configurations and policy exceptions will be migrated to newer platforms, like the Enterprise Resource Planning or Software as a Service; (3) a requirement to use new service offerings, like Office 365, Azure, WebEx and Jabber, will only be offered to customers in the Illinois.gov domain. Over the past year progress has been made to remediate identified issues, including retiring end of support operating systems, lack of or outdated anti-virus and missed system backups. Accounts with administrative privileges have been reviewed, and adjusted where operationally feasible, but due to the dependency on agency applications, some of those accounts cannot be changed; furthering the necessity to move agency servers, applications and data to a standardized and common environment.