REPORT DIGEST ILLINOIS EMERGENCY MANAGEMENT AGENCY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: July 6, 2022 FINDINGS THIS AUDIT: 10 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 3 -- 1 -- 4 Category 2: 4 -- 2 -- 6 Category 3: 0 -- 0 -- 0 TOTAL: 7 -- 3 -- 10 FINDINGS LAST AUDIT: 6 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (21-03) The Agency did not exercise adequate controls over State property to ensure completeness of property records and accurate and timely reporting to the Office of Comptroller (Comptroller). • (21-07) The Agency did not maintain adequate controls over its computing environment. • (21-08) The Agency had not implemented adequate internal controls related to cybersecurity programs, practices, and control of confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS PROPERTY CONTROL WEAKNESSES The Agency did not exercise adequate controls over State property to ensure completeness of property records and accurate and timely reporting to the Office of Comptroller (Comptroller). During our testing of all Fiscal Year 2020 and 2021 quarterly Agency Reports of State Property (Form C-15), we noted the following: Late Filing • For Fiscal Year 2020, the second and fourth quarter Form C-15s were filed 11 and 28 days late, respectively. Inadequate Support • For Fiscal Year 2020, the Agency duplicated a leased equipment deletion for $79,704. The transaction was recorded on both the third and fourth quarter Form C-15, and the beginning balance on the fourth quarter Fiscal C-15 was overstated, as the balance included the leased equipment. • For Fiscal Year 2021, we were unable to agree the total ending balance reported on the third and fourth quarter Form C-15 to the Agency’s property control records. • For Fiscal Year 2021, we were unable to agree the asset additions reported on the first and second quarter Form C-15 to the Agency’s property control records. • For Fiscal Year 2021, we were unable to agree the asset deletions reported on the first and second quarter Form C-15 to the Agency’s property control records. Incorrect Classification • For Fiscal Year 2021, surplus items, totaling $177,673, were incorrectly reported as deletions, rather than transfers, on the third quarter Form C-15. Timely Adjustment • Assets purchases made in December 2020, totaling $9,810,000, were not added to the Agency’s property records, and the items were not reported on Form C-15 until August 13, 2021. • For 19 of 240 (8%) items tested, totaling $393,330, the asset records were not updated within 90 days of an asset change. Expenditure Reconciliation • We were unable to reconcile the Comptroller’s record of equipment expenditures to the equipment purchases entered in the Agency’s property records due to inadequate property records. (Finding 3, pages 15-18) We recommended the Agency strengthen its internal controls over State property to ensure property records are complete, reconciled, and updated timely to facilitate accurate and timely reporting to the Comptroller. The Agency partially agreed to the finding and stated items purchased as equipment under the Comptroller’s records are not necessarily reportable as equipment on the C-15 report so a reconciliation to the Comptroller’s equipment records is not possible. The Agency further stated there were some errors that were in the C-15 and the agency has implemented updated training and procedures to ensure assets are recorded correctly. The Agency also stated the C-15 reports recognize that errors or omissions can occur and provides fields for the agency to adjust these reports and provide explanations for the adjustments. The Agency additionally stated some items that were loaned to the State for the agency’s COVID response were initially believed to be donations and recorded as assets and corrected at a later date. The Agency also stated warehouses purchased for the State’s COVID response were thought to be recorded under CMS records, however it was later determined they should be recorded on the Agency’s books. Lastly, the Agency stated the Agency promptly added those to its records once it was discovered they were not part of CMS’s books. In an accountant’s comment, we noted that as is necessary during the performance of any reconciliation, certain transactions need to be identified and notated as a reconciling items for a specific reason, such as the timing of the transaction or if the transaction was below the Agency’s capitalization thresholds. This is not impossible, as this procedure is routinely performed by accountants worldwide to verify the completeness and accuracy of an entity’s capital asset balances by reconciling purchases of property, plant, and equipment to capital asset additions. As such, we continue to recommend the Agency strengthen its internal controls over property by performing a full reconciliation between the Agency’s expenditures recorded by the Comptroller to the Agency’s reported additions on its Form C-15s. COMPUTER SYSTEM WEAKNESSES The Agency did not maintain adequate controls over its computing environment. The Agency had established computer systems and maintained data in order to meet its mission and mandate. The Agency processed and maintained critical, confidential, and sensitive data. During testing, we noted: • Programmers had access to the production environment; • Password requirements were not always appropriate; • Unauthorized individuals had access to the Agency’s data center; and, • The Agency did not regularly review or monitor users with remote access. (Finding 7, pages 25-26) We recommended the Agency: • Implement controls to restrict programmer access to the production environment; • Ensure password requirements are appropriate; • Ensure only authorized individuals have access to the Agency’s data center; and, • Review and monitor users remote access. The Agency disagreed with the finding and stated it has established an adequate system of internal control that provide reasonable, but not absolute, assurance that agency computer resources are appropriately secured from unauthorized access and protect the security, processing integrity, availability and confidentiality of its systems and data. The Agency also stated monitoring activities provide additional assurance that the design of the controls is effective and working as management intended. In an accountant’s comment, we stated it is very concerning the Agency believes the security weaknesses identified in the finding lend themselves to adequate internal controls, specifically in today’s environment. Additionally, the Agency did not provide documentation regarding the monitoring activities noted in their response. Therefore, we cannot determine if the monitoring activities provided additional assurance over the internal controls. WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES The Agency had not implemented adequate internal controls related to cybersecurity programs, practices, and control of confidential information. To assist the Agency in meeting its mission of providing emergency management assistance, the Agency utilizes several Information Technology (IT) applications which contain confidential and personal information. The Illinois State Auditing Act (30 ILCS 5/3-2.4) requires the Auditor General to review State agencies and their cybersecurity programs and practices. During our examination of the cybersecurity program, practices, and control of confidential information, we noted the Agency had not: • Updated a security policy to depict the actual practices; • Developed a project management framework to ensure new applications were adequately developed and implemented in accordance with management’s expectations; • Developed a risk management methodology, conducted a comprehensive risk assessment, and implemented risk reducing internal controls; • Established a comprehensive data classification methodology for classifying its data in accordance to risk and how data was protected. We noted the methodology did not address how each classification of data would be secured; • Obtained and reviewed vulnerability scan reports; and documented their reviews, including corrective action plans taken for any vulnerabilities or appropriate reasons for not acting; • Established a comprehensive cybersecurity plan that described the Agency’s security programs; • Documented cybersecurity roles and responsibilities; and • Established comprehensive policies or procedures for reporting security violations, monitoring security events, timely follow-up and corrective actions taken to address identified security events. (Finding 8, pages 27-30) We recommended the Agency: • Ensure all policies reflect actual practices. • Develop a project management framework to ensure new applications are adequately developed and implemented in accordance with management’s expectations. • Develop a risk management methodology, conduct a comprehensive risk assessment, and implement risk reducing internal controls. • Develop a comprehensive data classification methodology, which should outline the security controls for each classification. • Develop procedures for reviewing the vulnerability scan reports and documenting their reviews of the vulnerability scan reports, including any corrective action plans taken to address the vulnerabilities or appropriate reasons for not acting. • Develop a comprehensive cybersecurity plan. • Document all cybersecurity roles and responsibilities. • Establish comprehensive policies or procedures for reporting security violations, monitoring security events, as well as procedures for ensuring timely follow- up and corrective actions taken to address identified security events. The Agency disagreed with the finding and stated it continues to work with the Department of Innovation and Technology (DoIT) to establish standardized statewide policies and procedures to which all agencies under the Governor’s Office must adhere. The Agency also stated responsive documentation was provided to the auditors during the performance of this review. In an accountant’s comment, we stated Cybersecurity is not just the responsibility of DoIT, but a shared responsibility between DoIT and the Agency. The Agency, not DoIT, is responsible for the security controls over their applications and data. Such facts are specifically addressed in the various DoIT policies and procedures documented on DoIT’s website. We also stated Section 4.01 of the Intergovernmental Agreement the Agency entered into with DoIT, states, the “Client Agency is responsible for developing and prioritizing its IT or IT-related needs in consultation with its designated agency Chief Information Officer (CIO) or Group CIO.” Furthermore, Section 5 of the Intergovernmental Agreement states DoIT will provide ‘certain infrastructure IT or IT related services” and “the Client Agency shall work with DoIT and provide support to achieve security and consistent operations” in protecting the security, processing, integrity, availability and confidentiality of the Agency’s applications and data. OTHER FINDINGS The remaining findings are reportedly being given attention by Agency personnel. We will review the Agency’s progress towards the implementation of our recommendations in our next examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Agency for the two years ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2021-002, 2021-003, 2021-005, and 2021-009. Except for the noncompliance described in these findings, the accountants stated the Agency complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Kerber, Eck & Braeckel LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:MEG