REPORT DIGEST

DEPARTMENT OF HUMAN SERVICES

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2021

Release Date:  June 22, 2022

FINDINGS THIS AUDIT:  10

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  1 -- 9 -- 10
Category 2:  0 -- 0 -- 0
Category 3:  0 -- 0 -- 0
TOTAL:  1 -- 9 -- 10

FINDINGS LAST AUDIT: 13

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS
• (21-01) The Department does not have
an adequate understanding of the
suitability of the design of internal
control or the operating effectiveness
of internal control in place over all
data recorded in its financial
statements for transactions initiated
by other State agencies and recorded
in the Department’s financial
statements.
• (21-03) The Department’s year-end
financial reporting in accordance with
generally accepted accounting
principles (GAAP) contained inaccurate
information.
• (21-05) The Departments (HFS and
DHS) had insufficient internal
controls over changes to the
Integrated Eligibility System (IES)
and recipient data.
• (21-09) The Department of Healthcare
and Family Services (HFS) failed to
execute interagency agreements (IA)
with the Department of Human Services
(DHS) establishing adequate internal
controls over operation of the State
of Illinois’ Illinois Medicaid Program
Advanced Cloud Technology system
(IMPACT). In addition, HFS failed to
sufficiently review and document
eligibility requirements either prior
to the approval of eligibility, and/or
during the required monthly screenings
for enrolled providers.
• (21-10) The Departments (HFS and
DHS) failed to establish and maintain
adequate general information
technology internal controls (general
IT controls) over the operation of the
State of Illinois’ Illinois Medicaid
Program Advanced Technology system
(IMPACT).

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

MEDICAL ASSISTANCE PROGRAM FINANCIAL
INFORMATION

The Department of Human Services
(Department) does not have an adequate
understanding of the suitability of
the design of internal control or the
operating effectiveness of internal
control in place over all data
recorded in its financial statements
for transactions initiated by other
State agencies and recorded in the
Department’s financial statements.

During our testing of the financial
statements, we noted the following:

• The Department could not  could not
provide documentation of the
preparation or the Department’s review
of expenditure reconciliations for
Federal Medical Assistance Program
(MAP) funds or the State Children’s
Health Insurance Program  (CHIP)
(Funds 0120,  0142, 0211, 0365, 0502,
0509, 0718) between amounts reported
in the Department’s Consolidated
Accounting and Reporting System (CARS)
and amounts reported in the Grant/
Contract Analysis Forms (Form
SCO-563s) provided to the
Comptroller’s Office (IOC) which
support the receivable calculation for
financial reporting.  The amount per
the Form SCO-563s (totaling
approximately $374 million for total
reimbursable costs “TRC” for
Assistance Listing Numbers 93.767 and
93.778) is a computed amount (a
formula), essentially the amount
needed to achieve the reported
receivable balance provided by the
Department of Healthcare and Family
Services (HFS), a separate State
agency.  The Department does not
retain a reconciliation between what
is reported on the Form SCO-563s
(claimable expenditures) and within
CARS (all expenditures) for each fund.
Additionally, there is no
documentation maintained by the
Department to support the calculation
and methodology used by HFS in
preparing the federal receivable
amount (approximately $17.2 million
for the two programs).

• During testing of expenditures and
liabilities, we determined that the
Department is not monitoring or
reviewing the payments submitted by
HFS, or the liabilities calculated by
HFS, on behalf of the Department and
reported in the Department’s financial
statements.  When HFS submits a
request for payment to the IOC, a
summary file is also sent to the
Department which goes through an
interface and is recorded into CARS.
An employee in the Department’s Fiscal
Services Bureau reconciles the
payments between CARS and the IOC
before accepting them into CARS.
Although, the Department has
documented their understanding of how
transactions for DHS programs are
processed within HFS, the Department
was not able to provide auditors with
documentation of their monitoring
performed over the amounts reported in
the Department’s financial statements.
Additionally, the Department is
placing reliance on the internal
control over the applicable HFS system
without recent independent
verification of the system. Currently,
the Department receives summarized
information from HFS and records the
transactions into CARS and the GAAP
packages without performing sufficient
procedures to determine the accuracy
of the information. (Finding 1, pages
75-76)

We recommended the Department assume
more responsibility for the
transactions and balances reported in
its financial statements that are
initiated/estimated by other State
agencies, including the following:
entering into an interagency agreement
(IA) with HFS that details the
responsibilities of each agency with
regards to initiating, processing and
recording transactions, and how the
sufficiency of internal control over
Department transactions will be
monitored (i.e. annual internal audit,
SOC 1 Type 2 audit, or other), and,
once an IA is executed, on a regular
basis, the Department should determine
if the control system and related
monitoring agreed to through the IA,
is sufficient to prevent and detect
significant financial statement
errors. The sufficiency of internal
control should be monitored each time
there is a major change to MAP/CHIP
programs or IT systems used for those
programs.  We also recommended
expenditure and accrual amounts
provided by HFS in connection with
year-end reporting of Federal MAP
receivables should be reconciled to
CARS or agreed to reports and source
data compiled by HFS.

The Department accepted the
recommendation and stated it will
pursue an interagency agreement with
HFS and monitor audits and reviews
performed on HFS data and internal
controls.

WEAKNESSES IN PREPARATION OF YEAR-END
DPEARTMENT FINANCIAL STATEMENTS

The Department of Human Services’
(Department’s) year-end financial
reporting in accordance with generally
accepted accounting principles (GAAP)
contained inaccurate information.

The Department does not have adequate
controls over the completeness and
accuracy of year-end financial
reporting which resulted in errors in
the GAAP basis financial statements
and supporting schedules provided to
the auditors. The Department does not
perform a sufficient supervisory
review of all amounts recorded in its
financial statements and footnotes.

We noted and the Department corrected
the following disclosure errors
related to Footnotes 9 and 10:
• Most Department employees
participate in the State Employees'
Retirement System (SERS), which is a
single-employer defined benefit
pension trust fund.  The pension
expense amount reported in the draft
financial statements for Footnote 9
for State Employees' Retirement System
(SERS) was understated by $58.5
million. The Department netted the
reversal of the contributions to the
SERS Plan with pension expense to
arrive at the pension expense amount
disclosed in Footnote 9 - Defined
Benefit Pension Plans.

• Certain Department facility
employees participate in the Teachers
Retirement System of Illinois (TRS),
which is a multiple employer cost
sharing plan with a special funding
situation. GASB Statement No. 68
Accounting and Financial Reporting for
Pensions, requires that the
Department, as an employer, record its
portion of the non-employer
contributing entity (NECE) pension
expense pertaining to Department
employees in the government wide
financial statements (as a revenue and
an expense). This amount for the year
ended June 30, 2021 was approximately
$6.8 million and the Department
recorded approximately $3.2 million,
the difference was deemed immaterial
and not recorded.

• The Department's employees are
members of the State Employees Group
Insurance Program sponsored by the
State of Illinois, Department of
Central Management Services for their
other postemployment benefits (OPEB).
The OPEB expense amount reported in
the draft financial statements for
Footnote 10 was understated by $12.8
million. The Department netted the
reversal of the contributions to the
OPEB Plan with OPEB expense to arrive
at the OPEB expense amount disclosed
in Footnote 10 - Postemployment
Benefits.

Additionally, prior year audit entries
for the General Revenue Fund (001) and
the DHS Special Purposes Trust Fund
(0408) were not correctly reversed
during FY2021 resulting in a
misstatement in federal operating
grant revenues.  In FY 2020, audit
adjustments were recorded to correct
the accounting for federal operating
grant revenues and receivables for the
Child Care Assistance program.  In the
prior year, revenues earned by Fund
0001 were recorded as revenue in Fund
0408, resulting in a correcting entry
and an interfund receivable and
payable between the two funds. In FY
2021, the prior year entries were
reversed solely to federal operating
grant revenue as part of the year-end
close process.  A portion of the FY
2020 interfund balance was not
liquidated and was forgiven. That
portion ($24.7 million) should have
been classified as a transfer between
the two funds during FY 2021, instead
of an adjustment to revenue. These
errors were corrected by the
Department. (Finding 3, pages 82-84)

We recommended Department management
increase the level and quality of
supervisory review of year-end
financial reporting including
completing a report checklist, such as
the one available on the Government
Finance Officers’ Association (GFOA)
website, to determine if all amounts
and disclosures in the financial
statements are complete and accurate,
and carefully reviewing audit entries
from the prior period when determining
the reversing entry to be recorded.

DHS accepted the recommendation and
stated it will review the GFOA
checklist regarding benefit plans and
identify items that apply to IDHS
pension and OPEB reporting.

INSUFFICIENT INTERNAL CONTROLS OVER
CHANGES TO THE IES AND RECIPIENT DATA

The Department of Healthcare and
Family Services and the Department of
Human Services (collectively, the
“Departments”) had insufficient
internal controls over changes to the
Integrated Eligibility System (IES)
and recipient data.

Management of the Departments have
shared responsibility for various
human service programs in the State
and for internal controls over the
manual and automated processes
relating to eligibility for these
programs.  The Departments’ IES is the
automated system used by the
Departments which intakes, processes
(with the assistance of caseworkers),
and approves recipient applications,
maintenance items, and
redeterminations in order to determine
eligibility and make payments for the
State’s human service programs.

Change control is the systematic
approach to managing changes to an IT
environment, application, or data.
The purpose is to prevent unnecessary
and/or unauthorized changes, ensure
all changes are documented, and
minimize any disruptions due to system
changes.

IES Application Changes Policies and
Procedures
Our review of the April 20, 2020 IES
Change Management Plan (Plan) noted
the Plan did not:

• Define the requirements for the
prioritization or classification of
changes,
• Define the numerical grading for
determining impact,
• Define the detailed documentation
requirements for test scripts and
results, impact analysis, design
documentation, or other required
documentation, and
• Define when changes were required to
include a specific requirement, who
was to review the various steps and
when and by whom approvals were
required.

Additionally, we noted backout plans
to return the system to a previous
functional version in the event a
change moved into production caused
undesired results had not been
prepared for individual infrastructure
changes.

Testing of IES Application Changes
Due to the Plan’s limitations noted
above, the scope of our audit
procedures was limited to the
Departments’ testing and approval of
IES changes prior to placing them into
production. Specifically, we could not
perform testing on other change
management control procedures, which
would otherwise be typically tested,
as they were not included in the Plan.

Our testing noted no exceptions during
testing of IES application changes.
(Finding 5, pages 88-90)

We recommended management of both
Departments work together to
strengthen controls in the Change
Management Plan by including:

• Specific requirements for the
prioritization or classification of
changes,
• Definitions of the numerical grading
for determining impact,
• Detailed documentation requirements
for test scripts and results, impact
analysis, design documentation, or
other required documentation,
• Definitions of when changes are
required to include a specific
requirement, who should review the
various steps, and when, and by whom
approvals are required, and
• Requirements for backout plans to
return the system to a previous
functional version in the event a
change moved into production causes
undesired results, for individual
infrastructure changes.

DHS accepted the recommendation and
stated it will review its Change
Management policy and procedure to
assure that it meets the auditor
recommendations. DHS stated it will
also review and modify, as needed, its
documentation of the various steps and
the responsible individuals, in the
change approval process and work to
develop a documented change backout
plan.

INSUFFICIENT REVIEW AND DOCUMENTATION
OF PROVIDER ENROLLMENT DETERMINATIONS
AND FAILURE TO EXECUTE INTERAGENCY
AGREEMENT

The Department of Healthcare and
Family Services (HFS) failed to
execute interagency agreements (IA)
with the Department of Human Services
(DHS) establishing adequate internal
controls over the operation of the
State of Illinois’ Illinois Medicaid
Program Advanced Cloud Technology
system (IMPACT). In addition, HFS
failed to sufficiently review and
document eligibility requirements
either prior to the approval of
eligibility, and/or during the
required monthly screenings for
enrolled providers.

Interagency Agreements
Auditors noted HFS did not enter into
or have an existing IA with DHS
defining each agency’s roles and
responsibilities as they related to
IMPACT during fiscal year 2021.

Detail Sample Testing of IMPACT
Providers at HFS
During fiscal year 2021, 24,209
provider enrollment applications were
approved in IMPACT.  In order to
determine if the providers’
applications were approved in
accordance with federal and State
laws/rules/regulations, a sample of 60
approved applications were selected
for testing.  Our testing noted seven
(12%) approved provider applications
did not contain documentation to
substantiate a review of the
provider’s required professional
license or board certification to
confirm the licenses/certifications
were valid at the time the application
was approved.

Detail Sample Testing of IMPACT
Providers at DHS
During testing, the auditors
determined DHS did not solely utilize
IMPACT as the official book of record
or consistently rely on it to verify
its providers met certain Medicaid
requirements prior to approving them
to provide services.  Specifically, in
fiscal year 2021, DHS performed
procedures to determine if its
providers met certain Medicaid
requirements outside of IMPACT.  Upon
completion of those procedures, DHS
personnel then entered the providers’
information into IMPACT and approved
the provider’s file in order to grant
approval for payment.

In order to determine if DHS provider
applications were approved in
accordance with federal and State
laws/rules/regulations, prior to DHS
entering their information into
IMPACT, the auditors selected a sample
of 60 approved applications for
detailed testing and had no
exceptions.

Additionally, on a monthly basis,
IMPACT conducts monthly screenings of
provider profiles against several
databases to determine if the provider
licenses are valid and current, and
identifies suspected criminal
activity.  During testing, the
auditors determined DHS personnel did
not regularly follow-up on issues
identified in IMPACT during the
monthly screenings. (Finding 9, pages
97-99)

We recommended HFS management work
with DHS to ensure all provider
applications are properly reviewed,
approved, and documented within
IMPACT. In addition, we recommended
HFS work with DHS to execute detailed
interagency agreements which document
specific roles and responsibilities as
they relate to IMPACT.  Finally, until
the interagency agreement is
finalized, we recommended DHS follow-
up on issues identified pertaining to
their providers, from the IMPACT
monthly screenings.

DHS accepted the recommendation and
stated it will work with HFS to ensure
provider applications are properly
reviewed, approved, and documented
within IMPACT. An interagency
agreement was drafted and submitted
for final approval. IDHS will review
the findings and follow up on
deficiencies identified pertaining to
our providers from the IMPACT monthly
screenings.

INADEQUATE GENERAL INFORMAITON
TECHNOLOGY CONTROLS OVER IMPACT

The Department of Healthcare and
Family Services (HFS) and the
Department of Human Services  (DHS)
(collectively, the “Departments”)
failed to establish and maintain
adequate general information
technology internal controls (general
IT controls) over the operation of the
State of Illinois’ Illinois Medicaid
Program Advanced Technology system
(IMPACT).

In calendar year 2012, HFS and the
State of Michigan’s Department of
Community Health entered into an
intergovernmental agreement (IGA) for
the State of Illinois (State) to
utilize Michigan’s existing Medicaid
Management Information System (MMIS)
and its related infrastructure with
the goal of replacing the State’s MMIS
to accommodate the processing of the
State’s Medicaid provider enrollment
determinations and all Medicaid claim
payments to such providers. Since
2012, the State has implemented two
phases of IMPACT: Electronic Health
Record Medicaid Incentive Payment
Program (eMIPP) and Provider
Enrollment (PE).

An IGA was entered into in 2015 which
formally established the Illinois-
Michigan Program Alliance for Core
Technology.  Additionally, the parties
agreed to pursue expansion of the
Michigan MMIS environment to
accommodate the processing of
Illinois’ Medicaid claims.  The IGA
required Michigan to extend it current
system to utilize cloud architecture
that would result in converged
infrastructure, maximizing the
effectiveness of shared resources, and
allowing the shared services to be
offered to HFS.

As a result of the Departments not
having access to or control over
IMPACT and its infrastructure, the
auditors requested HFS provide a
System and Organization Control (SOC)
report which would provide the State
and auditors information on the design
and effectiveness of internal controls
over IMPACT.  In response, HFS
provided a Security Assessment Report
(Report), however, this report did not
evaluate the design and implementation
of Michigan’s internal controls.

Specifically, the Report did not
document:

• Timeframe/period in which the
Security Assessment Report covered,
• Independent service auditor’s
report,
• Details of the testing conducted,
and
• Details of Michigan’s internal
controls as they relate to:
— Control environment,
— Risk assessment processes,
— Information and communication,
— Control activities, and
— Monitoring activities.

As a result, the auditors were unable
to perform adequate procedures to
satisfy themselves that certain
general IT controls (change
management) to IMPACT were operating
effectively during the audit period.

Change Management
As a result of the Departments’
failure to obtain a SOC report, as
noted above, or conduct their own
timely, independent internal control
review over changes to IMPACT, data,
or the infrastructure, the auditors
were unable to determine if changes
made during the audit period were
proper and approved.

User Access Control
The auditors noted HFS included all
users, including DHS users, in its
annual IMPACT Provider Enrollment
Access Review.  However, due to no
executed intergovernmental agreement
between HFS and DHS (see Finding
2021-009), there was no interim user
access review completed for DHS.
(Finding 10, pages 100-102)

We recommended the Departments work
with the service provider to obtain
assurance the internal controls over
IMPACT, data, and the infrastructure,
including change control and user
access, are adequate. Additionally,
until the Departments execute an
intergovernmental agreement which
addresses all user access testing, we
recommended DHS perform periodic user
access reviews of all DHS employees
with access to IMPACT.

DHS accepted the recommendation and
stated it will work with HFS and the
service provider to ensure controls
over IMPACT, data, and the
infrastructure are adequate.

OTHER FINDINGS

The remaining findings pertain to the
lack of adequate controls over service
providers, census data, access review
procedures for IES, disaster recovery
controls over the IES, insufficient
detailed agreement with the Department
of Innovation & Technology, and
inadequate interagency agreement over
IES. We will review the Department’s
progress towards the implementation of
our recommendations in our next
financial audit.

AUDITOR’S OPINION

The auditors stated the financial
statements of the Department of Human
Services as of and for the year ended
June 30, 2021 are fairly stated in all
material respects.

This financial audit was performed by
RSM US LLP.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:jv