REPORT DIGEST DEPARTMENT OF JUVENILE JUSTICE COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2018 Release Date: February 19, 2020 FINDINGS THIS AUDIT: 21 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 4 -- 3 -- 7 Category 2: 4 -- 10 -- 14 Category 3: 0 -- 0 -- 0 TOTAL: 8 -- 13 -- 21 FINDINGS LAST AUDIT: 17 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (18-01) The Department did not maintain adequate documentation and control over its State property during the examination period. • (18-02) The Department did not exercise adequate controls over voucher processing. • (18-05) The Department failed to secure and control personal and confidential information. • (18-06) The Department failed to maintain adequate controls over its personnel and payroll records and documentation. • (18-07) The Department did not ensure Youth 360 calculated youth release dates correctly. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER STATE PROPERTY The Department did not maintain adequate documentation and control over its State property during the examination period. The Department did not timely and accurately enter transactions into the property control system. The accountants noted during the walk-through of equipment transactions that equipment purchases/additions were not being timely entered and Department personnel had a backlog of transactions that had not yet been added to the Central Inventory System (CIS). The accountants also noted addition and deletion reports could not be agreed to activity reported in the quarterly Agency Report of State Property (C-15) reported to the Comptroller. As a result, the accountants were unable to reconcile the Department-wide C-15s to the Comptroller’s Object/Expenditures by Quarter Reports (SA02). The unreconciled differences totaled $911,536 and $247,509 in Fiscal year 2017 and Fiscal Year 2018, respectively. Due to these conditions, the accountants were unable to conclude whether the Department’s population of inventory records was sufficiently precise and detailed under Attestation Standards promulgated by the America Institute of Certified Public Accountants (AT-C § 205.35) to test the Department’s State property. In addition, due to these limitations, the accountants were unable to conclude the Department’s Schedule of Changes in State Property on page 68 was complete and appropriately reported. Even given the population limitations noted above which hindered the ability of the accountants to conclude whether the selected sample was representative of the population as a whole, the accountants selected a sample of items from the property listing provided by the Department and performed testing. Following are a few items the accountants noted during testing: • The Department’s property control listing did not accurately report equipment locations and location codes: – Items were still being reported on the property listing at closed Youth Centers (IYC), including 57 equipment items, totaling $13,851, under IYC Murphysboro; 17 equipment items, totaling $4,570, under IYC Kewanee; and 933 equipment items, totaling $559,940, 55 buildings, totaling $29,825,386, and 160 acres of land, totaling $573,103 under IYC Joliet. – One building at the St. Charles Youth Center was not able to be located on the property listing. – Although there were eight aftercare locations throughout the State, the property listing only contained two location codes, Springfield and Chicago. – Items at three different locations in Springfield utilized the same location code. • During voucher testing, the accountants reviewed 11 purchases of equipment, totaling $155,885, which were not added to the property listing. • The Department did not properly maintain its property. The accountants observed one Youth Center (St. Charles) had 13 unused, condemned, or worn down buildings in need of repairs, demolition, or significant improvements. (Finding 1, pages 12-14) This finding has been repeated since 2008. (For the previous Department response, see Digest Footnote #1.) We recommended the Department strengthen its controls over maintaining, recording, and reporting its State property and equipment by reviewing its inventory and recordkeeping practices to ensure compliance with State laws and regulations. Further, we recommended the Department ensure all its property transactions are accurately and timely recorded on the Department’s property records. Department officials accepted the recommendation and stated the Department will work with PSSSC and Department employees to strengthen its controls over maintaining, recording and reporting state property. INADEQUATE CONTROLS OVER VOUCHER PROCESSING The Department of Juvenile Justice (Department) did not exercise adequate controls over voucher processing. During testing, the auditors noted the following: • For 2 of 226 (1%) vouchers tested, totaling $534,642, the Department did not provide documentation to substantiate $3,181 expended. In addition, for 4 of 60 (7%) payroll vouchers tested, totaling $7,807, no documentation was provided so the auditors could not determine whether the payments were proper. Lastly, for three vouchers, totaling $707,033, to a healthcare vendor, the auditors could not determine whether the amounts paid were mathematically accurate due to a lack of support provided. • Forty-three of 226 (19%) vouchers tested, totaling $1,684,638, were approved for payment between 2 and 336 days late. • For 17 of 226 (8%) vouchers tested, totaling $1,185,224, the related invoices were not date-stamped when received by the Department. As a result, auditors could not determine if the voucher was approved timely or if interest was due to the vendor. • For 15 of 40 (38%) awards and grant vouchers tested, totaling $591, the original date stamp on the invoice was scratched out and a new stamp was applied. The second stamps were between 59 and 747 days after the service date. (Finding 2, pages 15-16) We recommended the Department retain all vouchers and adequate supporting documentation. We also recommended the Department timely approve vouchers and ensure the receipt date is properly documented. Department officials accepted the recommendation and stated they will work with staff to ensure that all supporting documentation is retained, documenting the receipt date and timely approving the vouchers. WEAKNESS REGARDING SECURITY AND CONTROL OF CONFIDENTIAL INFORMATION The Department of Juvenile Justice (Department) failed to secure and control personal and confidential information. In order to carry out its mission, the Department maintains several computer systems which contain confidential or personal information, such as names, addresses, and Social Security numbers. In addition, the Department maintains protected health information that is considered confidential and required to be protected under the Health Insurance Portability and Accountability Act (HIPAA). During testing, we noted the following weaknesses: • Failure to document or install encryption software on laptop computers. • Lack of business agreements with medical providers handling protected health information. • Failure to perform a risk assessment of the Department’s computer resources. • Failure to protect personal, medical, and confidential information on all Information Technology (IT) equipment. As part of the examination process, we requested the Department provide us the populations of all medical providers and IT equipment. Although the Department provided the populations, documentation demonstrating the completeness and accuracy of the populations could not be provided. Due to these conditions, we were unable to conclude that the populations’ records were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.35). Even given the IT populations’ limitations noted above, we tested a sample of laptops to determine if encryption had been installed, noting the Department could not provide documentation of encryption for seven of 29 (24%) laptops. In addition, we noted one laptop did not have encryption installed. Furthermore, we tested a sample of medical providers to determine if the Department had executed Business Associate Agreements, noting three of four (75%) medical providers did not have executed Business Associate Agreements. We also noted the Department had not performed a risk assessment of its computing resources to identify confidential or personal information to ensure such information was protected from unauthorized disclosure. In addition, the Department did not maintain adequate controls over hardcopy documentation containing personal, medical and confidential information. The Department’s Fiscal Years 2017 and 2018 Certification of Inventory, documented missing equipment, including 16 PCs/laptops totaling $21,325 and 18 PCs/laptops, totaling $28,206, respectively. We requested documentation demonstrating the Department’s assessment of confidential information maintained on the PCs/laptops. However, the Department did not provide documentation of their assessment. As such, we were unable to determine if any notifications were required. During our testing at the Department’s Youth Centers, we noted a significant amount of IT equipment sitting in condemned/uninhabitable and working buildings, in which the data had not been removed. In addition, the Department had not conducted an assessment to determine confidentiality of the data or the appropriate removal of the data. (Finding 5, pages 21-23) This finding was first reported in 2014. (For the previous Department response, see Digest Footnote #2). We recommended the Department: • Ensure all confidential information is protected with methods such as encryption or redaction. • Ensure Business Associate Agreements are executed for all entities with access to medical records. • Maintain complete, accurate, and detailed records of its IT equipment and medical providers. • Perform risk assessments to ensure the IT equipment and data maintained have adequate security controls installed to safeguards its information. • Ensure all confidential records are properly destroyed. • Perform an assessment of the information contained on missing IT equipment to determine if notification is required under the Personal Information Protection Act. • Ensure all data is properly removed from unused IT equipment. Department officials accepted the recommendation and stated they have made significant strides that include adding an amendment to all applicable contracts that include the requirements listed in the Health Insurance Portability and Accountability Act (HIPAA), working with the Department of Innovation and Technology (DoIT) Group Chief Information Officer on maintaining encryption software on applicable IT equipment, establishing an IT Risk Assessment and performing risk assessments to ensure IT equipment and data have security controls to safeguard its data. They further stated the Department will work with Public Safety Shared Services Center (PSSSC) and DoIT to establish and maintain a list of IT Equipment and will update its Administrative Directives to ensure confidential information is properly destroyed and data is property removed from unused IT equipment. FAILURE TO MAINTAIN REQUIRED PERSONNEL DOCUMENTATION The Department of Juvenile Justice (Department) failed to maintain adequate controls over its personnel and payroll records and documentation. During testing, the auditors noted the following: • For 12 of 60 (20%) employees tested, the Department was unable to provide the signed Federal/Illinois W-4 Employee’s Withholding Exemption Certificate (Form C-25). • For 17 of 60 (28%) employees tested, the documentation in the personnel files did not agree with withholding amounts: – For four employees tested, the State tax withheld did not trace to the Form C-25. Differences ranged from $5 to $78 for the pay period tested. – For six employees tested, the Federal tax withheld did not trace to the Form C-25. Differences ranged from $10 to $996 for the pay period tested. – For nine employees tested, the amount withheld for health insurance did not trace to the Department of Central Management Services’ (CMS) system. Differences ranged from $9 to $57 for the pay period tested. – For seven employees tested, the amount withheld for dental insurance did not trace to CMS’ system. Differences ranged from $1 to $6 for the pay period tested. – For five employees tested, the amount withheld for life insurance did not trace to CMS’ system. Differences ranged from $3 to $24 for the pay period tested. • For 33 of 60 (55%) employees tested, the Department could not provide leave authorization requests or other supporting documentation for the months tested. • For 22 of 60 (37%) employees tested, the Department was unable to provide timesheets for the months tested. • For 15 of 60 (25%) employees tested, there was no approval for 124 instances of overtime worked totaling 565 hours for the months tested. (Finding 6, pages 24-26) We recommended the Department strengthen controls to ensure employees’ payroll deductions, time records, leave requests, and overtime documentation are completed, approved, and maintained as required. Department officials accepted the recommendation and stated the Department will work with the PSSSC and its staff to ensure forms are maintained and deductions are supported. Furthermore, the Department will update the PSSSC agreement and will work to secure adequate funding to hire personnel to perform this function. INACCURATE CALCULATION OF RELEASE DATES The Department of Juvenile Justice (Department) did not ensure Youth 360 calculated youth release dates correctly. In June 2010, the Department embarked on the development of the Youth 360 system and over the last eight years has added additional functionality in the areas of location tracking, offense information, security levels, as well as maintaining youth personal, and medical information. As reported in the 2016 examination, due to incorrect logic regarding custody date, length of the sentence, and the complexity of youth sentencing laws, Youth 360 did not correctly calculate the release dates. As a result, Department staff were manually calculating the release dates and overriding Youth 360 release dates. During the current examination testing, we continued to note Youth 360 was still unable to properly calculate release dates due to incorrect logic and staff continued to manually calculate release dates and override the incorrect information in the system. We recommended the Department implement the required changes to Youth 360’s logic in order to meet the needs of the Department. (Finding 7, pages 27-28) The Department rejected the recommendation and stated the computer program calculation error has been fixed and the Department continues to work with the vendor to improve the Y360 youth electronic record system. Additionally, the Department noted that the Target Release Date is a guideline, rather than a determinate release date and the Director has the sole authority to approve release for youth adjudicated delinquent and committed to the custody of the Department, regardless of identified Target Release Date. In an accountant’s comment, it was noted the Department did not provide documentation demonstrating the Y360 calculation error had been corrected. In fact, Department management stated, “miscalculation glitches in Y360 are being addressed on an on-going basis.” In addition, the Target Release Date is a necessary component of determining when a juvenile is released, which is supported by Department staff’s manual recalculation and system overriding. Further, given millions of taxpayer dollars that have been spent over the last eight years on an application which is responsible for maintaining information related to the Youth Offender, the Department has the ultimate responsibility to ensure the Target Release date is accurately calculated by Y360. OTHER FINDINGS The remaining findings pertain to the following: 1) inadequate controls over economic interest statements, locally held funds, contractual agreements, interagency agreements, and receipts; 2) inaccurate youth transfer listing; 3) lack of disaster contingency planning; 4) administrative processes not fully segregated; 5) noncompliance with the Fiscal Control and Internal Auditing Act; 6) policies and procedures regarding operation of State vehicles not followed; 7) inadequate administration of confinement and discipline policies; 8) required reports did not contain required elements; and 9) noncompliance with the Unified Code of Corrections. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2018, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2018-001 through 2018-007. Except for the noncompliance described in these findings, the accountants stated the Department complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:PH DIGEST FOOTNOTES #1 - Inaccurate and Inadequate Equipment and Capital Asset Record Keeping Recommendation accepted. The Department will review inventory and recordkeeping practices with staff members and remind them of the importance of processing transactions in a timely manner. Due to the current budget situation, the Department does not have the resources necessary to address all building repairs and maintenance issues. #2 – Lack of Project Management over Youth 360 Project Recommendation accepted. The Department will make every effort to ensure the security, integrity, and availability of its applications and data. Additionally, the Department will continue to work to ensure projects are managed, monitored, and documented adequately.