REPORT DIGEST ILLINOIS EMERGENCY MANAGEMENT AGENCY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2019 Release Date: March 18, 2021 FINDINGS THIS AUDIT: 6 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 4 -- 1 -- 5 Category 3: 0 -- 0 -- 0 TOTAL: 5 -- 1 -- 6 FINDINGS LAST AUDIT: 8 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (19-01) The Agency did not exercise adequate control over its reconciliations. • (19-04) The Agency did not maintain adequate controls over its computing environment. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER RECONCILIATIONS The Illinois Emergency Management Agency (Agency) did not exercise adequate control over its reconciliations. During our review of the Agency’s monthly reconciliations, we noted the following: • 82 of 288 (28%) reconciliations of the Agency’s internal records to the Office of the State Comptroller’s (Comptroller) Monthly Revenue Status (SB04) reports were not performed timely. The reconciliations were performed between 2 and 279 days late. • Six of 288 (2%) reconciliations of the Agency’s internal records to the Comptroller’s SB04 reports were not performed. • For 23 of 288 (8%) reconciliations of the Agency’s internal records to the Comptroller’s SB04 reports, we could not determine whether the Agency completed the reconciliations within 60 days of the month end, due to lack of adequate supporting documentation to indicate the dates of proper completion. • 100 of 168 (60%) reconciliations of the Agency’s internal expenditure records to the Comptroller’s Monthly Appropriation Status (SB01) reports were not performed timely. The reconciliations were performed between 1 and 295 days late. • 30 of 168 (18%) reconciliations of the Agency’s internal expenditure records to the Comptroller’s SB01 reports were not performed. • 30 of 30 (100%) monthly reconciliations of the Agency’s internal records to the Comptroller’s Agency Contract (SC14) reports were not performed. • 30 of 30 (100%) monthly reconciliations of the Agency’s internal records to the Comptroller’s Obligation Activity (SC15) reports were not performed. (Finding 1, pages 12-13) We recommended the Agency strengthen its controls and procedures to ensure its accounting records are properly and timely reconciled to Comptroller records. The Agency accepted our recommendation and stated it has implemented policies and procedures that ensure the timely and accurate reconciliation of Agency accounting records to those of the Comptroller. COMPUTER SYSTEM WEAKNESSES The Agency did not maintain adequate controls over its computing environment. The Agency had established computer systems and maintained data in order to meet its mission and mandate. The Agency processed and maintained critical, confidential and sensitive data. During testing, we noted: • Patch management procedures for ensuring vendor released patches, service patches, fixes, and updates are current had not been established. • Although the Agency had policies requiring password complexity and strong password requirements, they were not enabled. • Policies and procedures for the proper disposal of confidential information had not been established. In addition, we noted programmers had access to the production environment. It should be noted the auditors provided the results of their testing to the Agency on September 30, 2020, and the Agency accepted those results on October 28, 2020. The Agency subsequently presented, and the auditors accepted and tested, additional information related to computer security on February 10, 2021. The results of testing the additional information are noted above. (Finding 4, pages 19-21) We recommended the Agency establish procedures which address patch management and the proper disposal of confidential information. In addition, we recommended the Agency enable password complexity requirements and strong password requirements. Furthermore, we recommended restricting programmer access to the production environment and if the Agency determines access is necessary, the Agency should establish and enforce compensating controls to ensure appropriate oversight. The Agency disagreed with our recommendation regarding the lack of patch management procedures, password requirements not being enabled, and the lack of policies and procedures for the proper disposal of confidential information. The Agency stated it has created a specific patch management policy to supplement the change management policy and other Agency policies related to change and configuration management. The Agency also stated it has been enforcing a complex password policy since 2019. Further, the Agency stated it has also implemented two-factor authentication to further strengthen access controls. Additionally, the Agency stated it has adequate controls for the proper storage and disposal of confidential information. The Agency stated a series of documents to support the policies and procedures for the secure storage and disposal of confidential information was provided to the audit staff throughout the audit engagement, including a data wiping policy for electronic storage devices that was established in 2015. The Agency accepted our recommendation regarding restricting programmer access to the production environment. The Agency stated it will review programmer access to the production environment and determine whether additional controls can be enabled to limit programmer access and provide assurance that all changes are documented, reviewed, and approved prior to implementation of the change. In our accountant’s comment, we noted policies and procedures to require strong, complex passwords were not enforced during the examination period. In fact, the Agency did not begin enforcement until October 23, 2019. We also noted the policies and procedures for the secure storage and disposal of confidential information did not address all required elements. Lastly, we noted that in a correspondence from the Agency on September 30, 2020, it was stated the Agency was in the process of working on the patch management procedures and would formalize the procedures on March 4, 2021. OTHER FINDINGS The remaining findings pertain to inadequate controls over receipts and accounts receivable, inadequate controls over voucher processing, inadequate controls over personal services, and inadequate controls over motor vehicles. We will review the Agency’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Agency for the two years ended June 30, 2019, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2019-001. Except for the noncompliance described in this finding, the accountants stated the Agency complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:meg