REPORT DIGEST

DEPARTMENT OF COMMERCE AND ECONOMIC
OPPORTUNITY

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2020

Release Date:  April 22, 2021

FINDINGS THIS AUDIT:  19

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  11 -- 8 -- 19
Category 3:  0 -- 0 -- 0
TOTAL:  11 -- 8 -- 19

FINDINGS LAST AUDIT: 10

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (20-3) The Department did not submit or
timely submit required reports in
accordance with the mandates set forth in
State Law.
• (20-5) The Department did not comply
with various statutory mandates.
• (20-7) The Department’s organizational
chart contains excessive vacancies and no
longer reflects a usable representation
of the organizational structure of the
Department
• (20-12) The Department had not
implemented adequate internal controls
related to cybersecurity programs and
practices.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

FAILURE TO SUBMIT, OR TIMELY SUBMIT
REQUIRED REPORTS

The Department of Commerce and Economic
Opportunity (Department) did not submit
or timely submit required reports in
accordance with the mandates set forth in
State Laws.

During testing of statutes applicable to
the Department, auditors noted the
following:

• The Department did not complete or
submit a survey on business incentives
based upon its contacts of businesses
that are located in the State or have
been identified as having left the State
to the General Assembly by July 1, 2019
and 2018, respectively.

• The Department did not ensure the Task
Force on Opportunities for At-Risk Women
met at least quarterly or submitted the
required report on January 1 of each year
of the examination period.

• The Department did not collect
incubator sponsor reports during the
examination period.  The Build Illinois
Act allows the Department to designate
unoccupied or nearly unoccupied
properties as small business incubators
for the purpose of encouraging and
assisting the establishment and expansion
of small business within the State.

• The Department did not create a report
on the activities which describe how
funds and appropriations were utilized as
required by the Southwestern Illinois
Metropolitan Regional Planning Act.
(Finding 3, pages 17-19)  This finding
has been repeated since 2010.

We recommended the Department ensure
necessary information is collected and
required reports are timely submitted to
the Governor and General Assembly or seek
legislative remedy from the statutory
requirements.

The Department accepted our
recommendation.

NONCOMPLIANCE WITH STATUTORY MANDATES

The Department of Commerce and Economic
Opportunity (Department) did not comply
with various statutory mandates.

During testing, auditors noted the
following:

• The Department did not submit a
strategic economic development plan to
the Governor and General Assembly by July
1, 2019.

• The Department did not include in the
existing Community Development Assistance
set-aside program monies for moving
expenses.

• The Department did not develop or adopt
rules for an engineering excellence
program.

• Department’s official website did not
contain a comprehensive list of State,
local, and federal economic benefits
available to businesses in each of the
State’s counties and municipalities.

• The Department did not establish a
website during the examination period
devoted to marketing Illinois goods and
services by linking potential purchasers
with producers of goods and services who
are located in the State.

• The Department did create a database
that provides access to research and
business opportunities but did not allow
access to users external to the
Department and did not connect the
database through international
communication systems with appropriate
domestic and worldwide networks users.

• The Department did not administer the
Illinois Main Street Program, the
Industrial Development Assistance Law,
and did not create the Clean Water
Workforce Pipeline Program or the Human
Services Capital Investment Grant
Program.

• The Department maintained a website to
help persons wishing to create new
businesses or relocate businesses to
Illinois; however, the Department did not
update the website annually or send
requests to other State agencies to
report any applicable application form
changes as required.

• The Department did not, in consultation
with the General Assembly, timely
complete an assessment of its current
practices related to marketing program
and the extent to which the Department
assists Illinois residents in the use and
coordination of programs offered by the
Department.

• The Department did not create the
economic plan to assist businesses and
municipalities located geographically
close to bordering states. (Finding 5,
pages 25-32)  This finding has been
repeated since 2012.

We recommended the Department seek or
allocate resources to comply with its
statutory requirements or seek a
legislative remedy as appropriate.

The Department accepted our
recommendation.

EXCESSIVE VACANCIES ON THE ORGANIZATION
CHART

The Department of Commerce and Economic
Opportunity’s (Department) organizational
chart contains excessive vacancies and no
longer reflects a usable representation
of the organizational structure of the
Department.

During the examination, we obtained the
Department’s most recently compiled
organizational chart.  For the two years
ended June 30, 2020, the Department’s
organizational chart depicts 823
positions, of which 277 were filled and
546 were vacant (66%).  The Department’s
current approved headcount is 359.

The Department’s headcount, going back
approximately 20 years, was highest in
fiscal year 2000 at 528 employees. During
inquiry with Department management during
our examination, Department management
stated their own analysis identified 100
vacancies, which was approximately a 41%
increase from the Department’s current
headcount, they hoped to fill in the near
future.  One hundred vacancies is a much
more realistic figure, and well short of
the 546 vacancies shown on the
organizational chart.  (Finding 7, pages
37-39)

We recommended the Department annually
evaluate and update its organizational
chart to reflect the true reporting lines
and programs of the Department.

Department management disagreed with our
recommendation stating reducing vacant
positions from the Department’s
organizational chart would limit the
Department’s ability to agilely stand up
new programs as they are mandated by the
General Assembly and the process to
establish new positions is very time
consuming and involves many levels of
approval from various other state
agencies.

Accountants commented the Department’s
organization chart contains so many
vacancies that it has become unworkable
and unusable as an internal control tool
to manage the Department’s organization.
The Department has not come close to
employing the number of positions
imagined within the organization chart in
the last twenty years and envisions a
scenario in which the Department would
nearly triple its current headcount.

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Department of Commerce and Economic
Opportunity (Department) had not
implemented adequate internal controls
related to cybersecurity programs and
practices.

The Department maintains confidential
information to assist in fulfilling its
mission including, but not limited to,
information pertaining to finance,
economic development, human resources,
and payroll.  During the examination
period, the Department utilized the
common systems and support of the
Department of Innovation and Technology
(DoIT).

During our examination of the
Department’s cybersecurity program
practices, we noted the Department had
not:

• Solely relied on their own
cybersecurity policies, but also relied
on DoIT’s cybersecurity policies.
However, the Department has not conducted
an analysis of DoIT’s policies to ensure
they apply to the Department’s
environment.

• Established a formal framework
including assigned responsibilities over
cybersecurity.

• Performed a formal risk assessment to
identify and ensure adequate protection
of information most susceptible to
attack.

• Formally classified its data to
establish the types of information most
susceptible to attack to ensure adequate
protection. (Finding 12, pages 48-49)

We recommended the Department:

• Conduct an analysis of DoIT’s policies
to ensure they apply to the Department’s
environment.

• Establish a framework identifying and
assigning cybersecurity responsibilities.

• Perform a comprehensive risk assessment
to identify all confidential information
in electronic and hardcopy form in an
effort to assess overall security over
this information.

• Formally classify its data to establish
the types of information most susceptible
to attack to ensure adequate protection.

The Department accepted our
recommendation and indicated a formal
risk assessment was performed in December
2020 and they documented cybersecurity
roles and responsibilities in March 2021.

OTHER FINDINGS

The remaining findings pertain to the
following:

• Grant management
• Noncompliance with the Fiscal Control
and Internal Auditing Act
• Not staffing boards, commissions,
committees, and councils
• Administering tax credit programs
• Performance evaluations and time
reporting not completed timely
• Inaccurate agency workforce report
• Employee training
• Exceptions identified with separation
of interns
• Weaknesses in controls over information
systems
• Inaccurate reporting of receivables
• Failure to prepare a complete and
accurate analysis of overtime schedule

We will review the Department’s progress
towards the implementation of our
recommendations in our next compliance
examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Department for the two
years ended June 30, 2020, as required by
the Illinois State Auditing Act.  The
accountants stated the Department
complied, in all material respects, with
the requirements described in the report.

This compliance examination was conducted
by Sikich LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:JAF