REPORT DIGEST

DEPARTMENT OF COMMERCE AND COMMUNITY AFFAIRS

FINANCIAL AUDIT

For the Year Ended:
June 30, 2002

AND
COMPLIANCE AUDIT

For the Two Years Ended:
June 30, 2002

Summary of Findings:

Total this audit 8
Total last audit 4
Repeated from last audit 0

Release Date:
June 12, 2003

logo.jpg (8630 bytes)

State of Illinois
Office of the Auditor General

WILLIAM G. HOLLAND
AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General
Attn: Records Manager
Iles Park Plaza
740 E. Ash Street
Springfield, IL 62703
(217)782-6046 or TDD (217) 524-4646
This Report Digest is also available on
the worldwide web at
http://www.state.il.us/auditor

 

 

 

 

 

 

SYNOPSIS

 

 

  • The Department did not correctly report financial information to the Office of the Comptroller.
  • The Department did not adequately monitor contractors.
  • The Department did not determine the cost or ensure compliance with the Application System Development Standards of a newly developed computer system.
  • The Department had not established adequate controls for securing its computer resources.

 

 

 

 

 

 

 

{Expenditures and Activity Measurers are summarized on the reverse page.}


DEPARTMENT OF COMMERCE AND COMMUNITY AFFAIRS

FINANCIAL AND COMPLIANCE AUDIT
For The Two Years Ended June 30, 2002

EXPENDITURE STATISTICS

FY 2002

FY 2001

FY 2000

Total Expenditures (All Funds)

$828,325,157

$778,695,211

$720,714,957

OPERATIONS TOTAL
% of Total Expenditures
Personal Services
% of Operations Expenditures
Average No. of Employees
Other Payroll Costs (FICA, Retirement, Group Insurance)
% of Operations Expenditures
Contractual Services
% of Operations Expenditures
All Other Operations Items
% of Operations Expenditures

$102,845,079
12.42%
$18,837,058
18.32%
518

$5,219,216
5.07%
$7,777,559
7.56%
$71,011,246
69.05%

$99,493,216
12.78%
$17,755,561
17.85%
518

$4,733,892
4.76%
$7,861,024
7.90%
$69,142,739
69.49%

$93,450,447
12.97%
$19,446,575
20.81%
528

$5,320,515
5.69%
$7,316,644
7.83%
$61,366,713
65.67%

AWARDS AND GRANTS TOTAL
% of Total Expenditures
DEBT SERVICE TOTAL
% of Total Expenditures
PERMANENT IMPROVEMENTS AND REFUNDS TOTAL
% of Total Expenditures

$706,596,022
85.30%
$13,617,991
1.64%
$5,266,065

0.64%

$665,814,420
85.50%
$13,311,069
1.71%
$76,506

0.01%

$611,958,265
84.91%
$13,748,832
1.91%
$1,557,413

0.21%

Cost of Property and Equipment

$12,565,609

$11,102,394

$12,259,926

CASH RECEIPTS

FY 2002

FY 2001

FY 2000

From Federal Agencies
Licenses and Fees
Interest and Other Investment Income
Other
Total

$194,673,734
8,876,428
14,017,152
4,628,546
$222,195,860

$217,037,354
9,117,480
8,922,991
3,903,249
$238,981,074

$312,004,078
9,035,659
10,912,870
2,854,841
$334,807,448

SELECTED OUTCOME INDICATORS (unaudited)

FY 2002

FY 2001

FY 2000

Firms trained to improve the health, safety and labor management practices
Illinois Households Assisted (heating, emergency service, etc.)
International Trade-Companies Assisted
Jobs Created or Retained by Small Businesses Served by the Department

9,201

280,510

1,614
4,412

4,091

318,053

1,411
4,288

5,012

240,348

1,532
6,707

AGENCY DIRECTOR(S)
During Audit Period: Pam McDonough (7/01/00 through 11/20/02)
Currently: Jack Lavin
 

 

 

 

 

The Department did not include in their financial statements $766 thousand of receipts and cash on hand at June 30, 2002

 

 

 

 

 

 

 

 

 

 

 

 

Over $102,000 paid for contractors to attend training

 

 

 

 

 

 

 

Documentation to support payments was lacking

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Standards were not followed in development project

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Lack of security puts computer systems at risk

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FINDINGS, CONCLUDIONS, AND RECOMMENDATIONS

INCORRECT FINANCIAL REPORTING

The Department did not correctly report financial information through the State’s Generally Accepted Accounting Principles (GAAP) Reporting process. The Department classified approximately $75 million of federal operating grants as general grants and approximately $7 million of intergovernmental payables as accounts payable. In addition, the Department did not include in the Department’s financial statements $475 thousand of receipts that were collected but not deposited by June 30, 2002 and $291 thousand of cash on hand that was in two petty cash funds and seven foreign imprest funds. (Finding 1, pages 11-12)

We recommended the Department comply with professional standards and the Statewide Accounting Management System (SAMS) Procedures to ensure accurate financial information is submitted to the Office of the Comptroller. Further, we recommended the Department review and revise as necessary its current system in gathering the financial information that will be reported to the State Comptroller in the GAAP Reporting Packages.

Department officials concurred with the finding and responded that they will comply with professional standards and SAMS to ensure financial information is submitted to the Office of the Comptroller in the proper format. The Department’s accounting staff will continue to attend any state-sponsored training on GAAP reporting to learn more about professional standards and SAMS.

INADEQUATE MONITORING OF CONTRACTORS

The Department paid 25 information systems contractors over $1.94 million. Nine contractors received payments of over $100,000 with four receiving payments of over $150,000.

Our review of the contracts and documentation supporting payments identified numerous problems, including the following:

  • The Department had expenditures of over $102,000 for training related costs for the contractors. Specifically, the Department paid $30,919 for training course fees (predominantly attended by contractors) and an additional $5,077 in travel reimbursement for the contractors to attend the courses. Furthermore, based on records provided by Department staff, contractors were paid their contracted hourly fee to attend the training courses for an estimated $66,264.
  • Contracts require contractors to provide detailed timesheets outlining the work completed and the time it took; however, the majority of timesheets were submitted for payment and paid without the required detail.
  • The Department made payments, totaling $23,700, to contractors without supporting documentation (timesheets).
  • Documentation attached to invoice vouchers indicated that contractors were paid for 71 hours of holidays, vacations, and sick time totaling $4,459. In addition, contractors also billed for and were paid $1,008 for hours where they were listed as "out" on the timesheet submitted.
  • The Department paid a contractor over $1.3 million for the development of a web-site. However, the contractor went out of business and the Department did not receive adequate documentation for the web-site or the source code file to permit the Department to efficiently and effectively maintain the web-site prior to making the final payment.

Without proper monitoring of contractors, there exists an increased risk that contractual requirements will not be met and that inappropriate or excessive reimbursements will be made. (Finding 2, pages 13-15)

We recommended the Department perform a detailed review of its contract monitoring process to ensure that contractors are complying with contractual requirements, effectively performing duties, being paid for hours worked, and meeting the needs of the Department.

Department officials responded that they partially agree with this recommendation and have further reviewed their process for monitoring Information Technology contractual vendors. The Department believes it has met the intent and substance of the recommendation. Additionally, during the audit period, the Department initiated a project to fully automate the Information Technology Office's timekeeping function for contractors. The new system has been fully implemented and integrated with the Department's financial management system since April 1, 2003. This system contains supporting documentation for contractors' payments and requires management review.

INADEQUATE DEVELOPMENT AND COST ACCOUNTING OF THE CUSTOMER INFORMATION SYSTEM

The Department did not ensure compliance with the Application System Development Standards (Standards) on the Customer Information System (CIS) project. Additionally, the Department had not determined the total estimated cost of the complete CIS project.

The Department’s Standards address the various phases of system development projects and require documentation throughout the development process. We reviewed three modules of CIS for compliance with the Standards and found numerous instances of non-compliance.

In addition, the total projected completion cost of the entire CIS project had not been researched or analyzed. Management stated each module would be analyzed as it was brought under the "umbrella" of the whole project. During FY02 the Department spent approximately $875,332 for 11 contractors for the development of the CIS project. Of the $875,332, $213,556 was paid from funds that receive federal funding. Without a formalized detailed operating budget, it is difficult to determine the actual/expected cost of the CIS project. (Finding 3, pages16-17)

We recommended the Department form a quality assurance team to ensure all system development projects and major modifications follow the Standards. Appropriate documentation should be maintained to demonstrate compliance with Standards. Additionally, the Department should develop a detailed cost estimate and conduct a cost-benefit analysis of the entire CIS project to ensure that the project will meet its needs in a cost-effective manner.

Department officials responded that they partially agree with this recommendation. The Department believed it met the criteria for a quality assurance team and for adequate documentation. The Department also responded that it is in the process of preparing an updated long-range cost estimate and analysis for the Customer Information System project.

INADEQUATE COMPUTER SECURTIY CONTROLS

The Department had established computer systems throughout the State and in the Foreign Offices in order to meet its mission and mandate. The Department processes and maintains critical, confidential and sensitive information on its computer systems.

During our review, we noted the following weaknesses:

  • Lack of security strategy - A security strategy, to ensure that adverse situations such as security breaches and system failures were adequately addressed in a timely manner, had not been developed.
  • Lax security parameters - Logical security was not consistently enforced or monitored, and lax security controls were allowed. We identified accounts with no password requirements, no password change interval, and no intrusion detection. Usernames and passwords were maintained in clear text and available to all users of the Department’s network. We also identified fifteen individuals with inappropriate administrative access.
  • Lack of encryption - Traffic transmitted through the Department’s internal network as well as traffic to and from the Foreign Trade Offices via the Internet was not encrypted to ensure that packets containing sensitive and confidential information were not readable by unauthorized parties.

Without the implementation of adequate controls and procedures, there is a greater risk that unauthorized access to Department resources may be gained and data destroyed. Prudent business practices dictate that the Department strengthen its security to protect its assets and resources against unauthorized access and misuse. Failure to identify specific weaknesses associated with unauthorized access could leave the Department exposed to major disruption of services to the public. (Finding 4, pages 18-19)

We recommended that the Department develop a formal security strategy and implement more stringent security parameters on its computer systems. We also recommend that an independent review of security administration and awareness be performed periodically to ensure the Department’s security needs are being met, identify weaknesses, and encourage adherence to established policies and procedures.

Department officials responded that they partially agree with this recommendation and that while the Department agrees with the bulk of the finding, the Department does not believe significant risks existed for either network or Internet operations. The Department does agree that their policies and procedures can be improved.

The Department is currently in the process of strengthening their policies and procedures as recommended, including security administration, and will establish a policy regarding encryption of information transmitted through the network.

OTHER FINDINGS

The remaining findings were less significant and corrective action is reportedly in process. We will review the Department’s progress toward implementation of our recommendations in our next audit.

Mr. Jack Lavin, Director of the Department of Commerce and Economic Opportunity (formally the Department of Commerce and Community Affairs) provided the Department's responses.

AUDITORS’ OPINION

Our auditors stated the Department’s financial statements as of June 30, 2002 were fairly presented in all material respects.

 

___________________________________

WILLIAM G. HOLLAND, Auditor General

WGH:TLD:pp

AUDITORS ASSIGNED

This audit was performed by the staff of the Office of the Auditor General.