REPORT DIGEST DEPARTMENT OF HEALTHCARE AND FAMILY SERVICES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2015 COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2015 Release Date: May 12, 2016 FINDINGS THIS AUDIT: 12 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 4 -- 0 -- 4 Category 2: 5 -- 3 -- 8 Category 3: 0 -- 0 -- 0 TOTAL: 9 -- 3 -- 12 FINDINGS LAST AUDIT: 8 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (15-01) The Department and the Department of Human Services failed to establish controls to conduct due diligence or ensure project management over the State of Illinois’ Integrated Eligibility System development project. • (15-02) The Department and the Department of Human Services lacked internal controls to review the design and operation of the State of Illinois’ Integrated Eligibility System which caused inaccurate determinations in eligibility for human service programs. • (15-03) The Department and the Department of Human Services had not implemented adequate security, change management, or recovery controls over the State of Illinois’ Integrated Eligibility System. • (15-04) The Department did not obtain or conduct timely independent internal control reviews overits external service providers used to process Medicaid Incentive Payment Program or dental payments made on behalf of the State. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF DUE DILIGENCE AND PROJECT MANAGEMENT OVER THE INTEGRATED ELIGIBILITY SYSTEM (IES) The Department and the Department of Human Services (Departments) did not establish controls to conduct due diligence or ensure project management over the State of Illinois’ IES development project. IES was developed to consolidate and modernize eligibility functions and to comply with the Affordable Care Act of 2010. Phase One of IES went live on October 1, 2013 even though it had known problems, required manual workarounds, and encountered data integrity and downtime issues. Some of the critical deficiencies we noted are as follows: • The Departments did not conduct due diligence or assess the risks over known problems at October 1, 2013. • Over-reliance was placed on the vendors. • System testing was inadequate and did not comply with development requirements. As a result of the lack of project management, IES did not accurately determine individuals’ eligibility for various social service programs. Additionally, we would like to note from August through November 2015, we made several requests to the Department for documentation related to project management, systems development, and contractual requirements for IES. The Departments had to rely on vendors to provide the required documentation to respond to the auditors’ requests. During this timeframe, the vendors did not provide complete and accurate information. After discussing the documentation issues in December 2015 with the Departments’ management, the Departments’ management reached out to the vendors from December 2015 through February 2016 to provide the auditors with complete and accurate information. (Finding 1, pages 12-13) We recommended the Departments establish controls over project management and due diligence, such as improving vendor relationships, monitoring, testing, etc. for major projects, such as IES. The Departments accepted the recommendation and have taken steps to address issues noted by the auditors. INACCURATE DETERMINATION OF ELIGIBILITY The Department and the Department of Human Services (Departments) lacked internal controls to review the design and operation of the State of Illinois’ Integrated Eligibility System (IES) to sufficiently prevent or detect defects that could cause inaccurate determinations of eligibility. As a result, the auditors noted IES did not accurately determine eligibility for human service programs. In order to obtain social services, individuals are evaluated on hundreds of financial and non-financial criteria. To test the efficacy of IES’ determination of eligibility for benefits, we selected a sample of a subset of non-financial eligibility criteria including: residency, citizenship, and social security information. After testing all individuals approved within IES from October 1, 2013 to June 30, 2015, we noted multiple defects which resulted in individuals being improperly approved for certain programs. The defects identified resulted in inappropriate expenditures being made to or on-behalf of individuals. During Fiscal Years 2014 and 2015, the inappropriate expenditures paid by the Departments totaled $8,280,749 for 3,220 individuals. (Finding 2, pages 14-15) We recommended the Departments implement controls over the review of the design and operations of IES and future development projects, take corrective actions over all defects and evaluate all eligibility criteria within IES to ensure cases are being properly approved. The Departments accepted the recommendation and have taken steps to address issues noted by the auditors. LACK OF CONTROLS OVER THE INTEGRATED ELIGIBILITY SYSTEM The Department and the Department of Human Services (Departments) had not implemented adequate security, change management, or recovery controls over the State of Illinois’ Integrated Eligibility System (IES). During our review, we identified a significant number of critical deficiencies. Some of the critical deficiencies we noted are as follows: • Neither of the Departments or vendor provided complete and detailed information necessary to support the implementation of security controls, including compliance with the federal and State security standards. • Contrary to accepted security practices, users were required to provide their dates of birth and social security numbers in order to recover their User Identifications. • Changes were made by vendor to the infrastructure that did not comply with approved change management procedures. Additionally, during the Department’s own review of security controls they noted deficiencies. Some of the critical deficiencies they noted are as follows: • IES and its servers could be accessed without authentication. • Devices were not properly configured resulting in incompatibilities between devices. • The Departments had not ensured the vendor implemented only approved changes to the infrastructure. • The Departments had not ensured State personnel had access to the infrastructure. (Finding 3, pages 16-17) We recommended the Departments establish controls that ensure IES security is safeguarded and adequately document and comply with the required federal and State security standards for IES. The Departments accepted the recommendation and have taken steps to address issues noted by the auditors. LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Department did not obtain or conduct timely independent internal control reviews over its external service providers used to process the Medicaid Incentive Payment Program (MIPP) payments and dental payments made on behalf of the State. Furthermore, the Department did not assess the need for independent internal control reviews at subservice organizations utilized by the external service provider of the State’s Dental Program. During testing, we noted some of the following: • The Department did not obtain Service Organization Control (SOC) reports or conduct independent internal control reviews of the external service provider which processed the MIPP payments during the audit period. • The SOC report obtained from the service provider which processed the dental payments indicated the service provider utilized subservice organizations to assist in the processing of the payments. As of June 30, 2015, the Department had not performed an analysis to determine the need to obtain information as to subservice organizations’ internal controls over the processing of the State’s dental payment transactions. (Finding 4, pages 18-19) We recommended the Department obtain or perform timely independent reviews of internal controls associated with their party service providers at least annually. In addition, the Department should assess and obtain applicable reports over the internal controls in place at the subservice organizations. The Department accepted the recommendation. OTHER FINDINGS The remaining findings are reportedly being given attention by Department personnel. We will review progress toward implementation of our recommendations in our next Audit/Examination. AUDITOR’S OPINION Our auditors stated the financial statements of the Department of Healthcare and Family Services as of June 30, 2015, and for the year ended, are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2015, as required by the Illinois State Auditing Act. The auditors qualified their report on State Compliance for findings 2015-001 through 2015-004. Except for the noncompliance described in these findings, the auditors state the Department complied, in all material respects, with the requirements described in the report. FRANK J. MAUTINO Auditor General FJM:JV SPECIAL ASSISTANT AUDITORS Sikich LLP was our special assistant auditors.