REPORT DIGEST

DEPARTMENT OF CORRECTIONS

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2020

Release Date:  October 13, 2021

FINDINGS THIS AUDIT:  60

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  4 -- 13 -- 17
Category 2:  22 -- 21 -- 43
Category 3:  0 -- 0 -- 0
TOTAL:  26 -- 34 -- 60

FINDINGS LAST AUDIT: 46

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Compliance
Examination of the Department of
Corrections (Department) for the two
years ended June 30, 2020. The
Department’s Financial Statement Audit
covering the year ended June 30, 2020
was previously issued under separate
cover. In total, this report contains
60 findings, 8 of which were reported
in the Financial Audit.
SYNOPSIS

• (20-9) The Department failed to meet
requirements of a settlement agreement
and court order for the provision of
mental health services to mentally ill
inmates in custody of the Department.
• (20-12) The Department lacked an
adequate internal control structure
over the reporting of census data
events to the Department of Central
Management Services.
• (20-14) The Department did not
implement evidence-based programming
or comply with related provisions of
the Illinois Crime Reduction Act of
2009 during the examination period.

• (20-41) The Department had not
implemented adequate internal controls
related to cybersecurity programs and
practices.
• (20-57) The Department did not
timely provide all requested
documentation to the auditors.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

FAILURE TO MEET COURT-ORDERED MENTAL
HEALTH SERVICE REQUIREMENTS

The Department failed to meet
requirements of a settlement agreement
and court order for the provision of
mental health services to mentally ill
inmates in custody of the Department
during the examination period.

In April of 2019, the United States
District Court issued a permanent
injunction after finding the
Department was “not in substantial
compliance” with the settlement
agreement entered by the parties in
December 2015. The permanent
injunction issued by the District
Court, Rasho v. Walker, 376 F.Supp.3d
888 (C.D. Ill. 2019) (“the court
order”), ordered the Department to
provide mental health treatment to
prisoners, as well as to provide
medication management, mental health
evaluations, and necessary mental
health staff throughout the
correctional system.

Based on the auditor’s review of
staffing levels reported by the
Department, the Department failed to
meet hiring requirements from the
effective date of the permanent
injunction through Fiscal Year 2020.
In addition, in the report created by
the Department to certify each
facility’s compliance with court-
ordered requirements, the Department
reported numerous facilities did not
meet all court-ordered requirements
for some mental health service areas.
(Finding 9, pages 51-58)

The auditors recommended the
Department allocate the necessary
resources and take all reasonable and
appropriate measures in order to meet
court-mandated staffing and reporting
requirements.

The Department accepted the
recommendation and agreed the audit
accurately reflects the publicly
available data within facility
certifications that self-identify
compliance with the permanent
injunction in Rasho.  The Department
also stated the facility
certifications provide no more than an
opinion of those at the facility level
regarding their compliance with the
order.  The Department stated its
quarterly reports fully explain how
and why it has complied with the 29
data points set forth in the
injunction. The Department further
responded by stating it has, at all
times, during the effective date of
the permanent injunction provided
appropriate and constitutionally
required mental health care to its
population. The Department stated its
compliance with the 29 requirements
within the Rasho permanent injunction
throughout the entire system (28
facilities), based solely on facility
certifications, indicates it has
averaged 91.28% (The Department stated
that in this calculation, a facility
is considered compliant with a mandate
within the Rasho permanent injunction
if it rates its compliance 85% or
more, consistent with National
Commission on Correctional Heath Care
standards) compliance over the span of
the audit cycle.

In an accountant’s comment, we noted
the Department’s response contradicts
evidence examined, as follows:

» When other quarterly report
components documenting compliance by
each facility are considered, the
quarterly reports still disclose
noncompliance with court-ordered
requirements.

» The documentation provided to the
auditors does not provide sufficiently
appropriate audit evidence to
establish the Department’s compliance
with the staffing requirements of the
court order.

» The Department cannot both certify
to the Court that the Department’s
submissions certify each facility’s
compliance as required by the court
order, while also indicating to the
auditors that those certifications are
not the Department’s opinion.

» The compliance rates cited by the
Department are misleading and
incorrectly imply the Department has
exceeded court-ordered compliance
requirements.  Each of the facilities
did not meet at least 85% compliance
with each of the 29 directives based
on facility certifications, as
reported by the Department to the
Court.

UNTIMELY AND INACCURATE REPORTING OF
CENSUS DATA EVENTS

The Department lacked an adequate
internal control structure over the
reporting of census data events to the
Department of Central Management
Services (CMS).

During testing, we noted the following
problems:

» Fifty-three of 120 (44%) employees
tested had 69 events occur impacting
CMS’ census data records where we
noted it took between 15 and 152 days
from the occurrence of the event to
when this information was entered into
CMS’ records.  Six of these noted
incidents were also reported in
Finding 2020-005.

» One of 120 (1%) employees tested had
a discrepancy between the change date
recorded within CMS’ records and the
Department’s records. We noted the
reported date within CMS’ census data
records was 202 days after the event
purportedly occurred according to the
Department’s records.  This exception
was also reported in Finding 2020-005.

» Five of 120 (4%) employees tested
had transactions reported to CMS where
the Department’s underlying records
lacked support for when Department
personnel actually reported the
transaction to CMS.  (Finding 12,
pages 67-68)

We recommended the Department
implement controls to ensure
reportable events are timely and
accurately transmitted to CMS and
records are properly completed and
maintained to support transactions
reported.

The Department accepted the
recommendation and stated the
Department strives to enter changes
within a few days of receiving the
required paperwork and approvals from
the employees. The Department also
responded that CMS policy allows
employees to submit paperwork for an
approved leave of absence or other
changes for an indefinite amount of
time on or after the date the event
occurs and therefore, the timeliness
of entering some changes into the CMS
system is entirely out of the
Department's control.

In an accountant’s comment, we noted
Department officials contradict
themselves by accepting the
recommendation that they should
implement controls to ensure
reportable events, including leaves of
absences, are reported timely to CMS,
while simultaneously rejecting this
recommendation by stating an
unspecified CMS policy – which had not
previously been disclosed during this
examination – allows employees an
indefinite amount of time to submit
the paperwork for reporting leaves of
absences or other changes.  We
continue to believe the Department
should implement controls to ensure
all reportable events are timely and
accurately transmitted to CMS.

NONCOMPLIANCE WITH EVIDENCE-BASED
PROGRAMMING REQUIREMENTS OF THE
ILLINOIS CRIME REDUCTION ACT OF 2009

The Department did not implement
evidence-based programming or comply
with related provisions of the
Illinois Crime Reduction Act of 2009
(Act) during the examination period.
We noted:

» The Department did not adopt
policies, rules, and regulations
regarding the adoption, validation,
and utilization of a statewide
standardized risk assessment tool for
supervised and incarcerated
individuals during the engagement
period.

» The Department had not provided all
of its Parole Division employees with
intensive and ongoing training and
professional development services to
support the implementation of
evidence-based practices on all
required topics during the examination
period.

» The Department did not design,
implement, or make public a system to
evaluate the effectiveness of
evidence-based practices.

» The Department did not annually
submit to the Sentencing Policy
Advisory Council a comprehensive
report on the success of implementing
evidence-based practices. (Finding 14,
pages 71-72) This finding has been
repeated since 2016.

We recommended the Department fully
implement an evidence-based
programming system, including
policies, procedures and regulations
for risk assessment; employee
training; a system to evaluate
effectiveness; and annual reporting,
to fulfill its mandated duties.

The Department accepted the
recommendation and stated it has fully
implemented the Ohio Risk Assessment
System (System) to provide evidence-
based programming to the individuals
in the Department’s custody as well as
those on parole. The Department
further responded all staff within the
Department who are required to use the
system have been trained and training
continues as new staff are hired. The
Department also stated COVID-19
restrictions during 2020 hindered the
completion of the training since a
portion of the assessment (face to
face interviewing) could only be
conducted in person.

WEAKNESSES IN CYBERSECURITY PROGRAMS
AND PRACTICES

The Department had not implemented
adequate internal controls related to
cybersecurity programs and practices.

We noted the Department:

• Had not developed a formal,
comprehensive, adequate, and
communicated security program
(policies, procedures, and processes)
to manage and monitor the regulatory,
legal, environmental, and operational
requirements.
• Had not addressed the results of the
risk assessment and/or documented the
corrective actions included in the
mitigation plan.
• Had not developed a data
classification policy.
• Had not developed a policy or
procedure related to data wiping.
• Had not ensured cybersecurity
awareness training was completed for
808 of 13,958 (6%) registered
employees.
• Had not ensured cybersecurity roles
and responsibilities were documented
and communicated. (Finding 41, pages
121-122)  This finding has been
reported since 2016.

We recommended the Department:

• Develop a formal, comprehensive,
adequate, and communicated security
program (policies, procedures, and
processes) to manage and monitor the
regulatory, legal, environmental, and
operational requirements.
• Address the results of the risk
assessment and/or document the
corrective actions included in the
mitigation plan.
• Develop a data classification
policy.
• Develop a policy or procedure
regarding the method and
responsibilities for data wiping.
• Ensure all Department employees
participate in cybersecurity awareness
training.
• Ensure cybersecurity roles and
responsibilities are documented and
communicated.

The Department accepted the
recommendation and responded it is
working to ensure recommendations in
safeguarding all aspects of
Information Technology are established
and provided for awareness and
compliance.

FAILURE TO PROVIDE REQUESTED
DOCUMENTATION IN A TIMELY MANNER

The Department did not provide all
requested documentation to the
auditors in a timely manner.

During the engagement, outstanding
request listings were sent up to four
times a month to the Department.
Further, four letters were sent from
the Office of the Auditor General to
the Department during the audit
documenting the delays encountered and
requesting assistance necessary to
complete the financial audit and State
compliance examination of the
Department and the financial audit of
the Statewide financial statements. As
of May 11, 2021, documents related to
491 (47%) requests were provided after
the time frame for responses agreed
upon with the Department as follows:

Days Received After the Due Date of
Request -- Total Number of Items Past
Due
1 to 14 -- 267
15 to 30 -- 102
31 to 60 -- 79
61 to 90 -- 29
90 to 120 -- 8
Over 120 -- 6
Total -- 491

Further, some requests for
documentation from correctional
facilities were never provided to the
facility auditors and therefore were
considered as exceptions during
testing. Those instances have been
reported as part of other findings.

Department management agreed to
provide requested documents within
three weeks of receipt of requests at
the beginning of the pandemic, then
within two weeks of requests effective
August, 2020. Beginning in mid-
November 2020, the Department agreed
to return to prior audits’ practice of
providing documents and responses to
exceptions and potential audit
findings within one week of receipt.
(Finding 57, pages 150-153)

We recommended the Department allocate
the necessary resources in order to
provide requested information to
auditors in a timely manner.

The Department accepted the
recommendation and stated it takes
great comfort in knowing that none of
the delays mentioned in this finding
caused the delay in completing the
Statewide Annual Comprehensive
Financial Report (ACFR). The
Department further responded it was
very clear that reducing the timeframe
for a response from 3 weeks down to 2
and then 1 would be extremely
difficult to achieve given the
constraints of the COVID 19
restrictions and other issues
experienced by the Department. The
Department stated it made every effort
possible to comply, however, it listed
contributing factors for delays.

In an accountant’s comment, we noted
the Department is not in a position to
evaluate the effect the Department’s
delays may impose on the Statewide
Annual Comprehensive Financial Report,
the Department’s financial audit, or
the Department’s State compliance
examination.  The auditors concluded
the Department did not provide timely
information to the auditors, which is
noncompliance with the Illinois State
Auditing Act.  The facts in the
finding clearly demonstrate this
noncompliance.  The timelines
established for providing audit
requests were reasonable for a routine
post audit.

Audit document requests were clearly
communicated in writing to enable the
Department to provide the requested
information. The auditors routinely
followed up with the Department on
outstanding, incomplete, and
unresponsive documents, and as
detailed in the finding, the
Department at times took months to
provide complete, responsive
documents.  A total of 224, or 21% of
all requests made, were provided over
2 weeks late (3 to 5 weeks after the
date requested).

The auditors made repeated requests
for the Department to notify the
auditors if they believed any facts
were in error. The Department did not
raise any concerns with the facts
until it submitted its finding
response.

Both the finding and the Department’s
response demonstrate the difficulty
the auditors experienced in obtaining
timely information and cooperation
during this post audit.

OTHER FINDINGS

The remaining findings pertain to
financial reporting; noncompliance and
control weaknesses regarding laws,
rules, regulations, and grant
agreements; fiscal and administrative
responsibilities; and information
technology controls.  We will review
the Agency’s progress towards the
implementation of our recommendations
in our next compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Department for the
two years ended June 30, 2020, as
required by the Illinois State
Auditing Act.  The accountants
qualified their report on State
compliance for Findings 2020-001
through 2020-016 and 2020-018
individually, and 2020-023, 2020-024,
2020-044, 2020-049, 2020-051,
2020-053, 2020-054, 2020-056 and
2020-058 in the aggregate.  Except for
the noncompliance described in these
findings, the accountants stated the
Department complied, in all material
respects, with the requirements
described in the report.

This compliance examination was
conducted by Adelfia LLC.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:lkw