REPORT DIGEST

ENVIRONMENTAL PROTECTION AGENCY

FINANCIAL AND COMPLIANCE AUDIT

For the Year Ended:
June 30, 2000

Summary of Findings:

Total this audit 3
Total last audit 4
Repeated from last audit 3

Release Date:
March 29, 2001

 

 

State of Illinois
Office of the Auditor General

WILLIAM G. HOLLAND

AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General
Attn: Records Manager
Iles Park Plaza
740 E. Ash Street
Springfield, IL 62703

(217)782-6046 or TDD (217) 524-4646

This Report Digest is also available on
the worldwide web at
http://www.state.il.us/auditor

  

 

 

 

SYNOPSIS

 

 

 
  • EPA's Internal Audit department has not completed reviews of all of its major systems of internal accounting and administrative control as required by the Fiscal Control and Internal Auditing Act.
  • The Agency did not have an adequate plan for reacting to information technology disasters.

 

 

 

 

 

 

 

 

{Expenditures and Activity Measures are summarized on the reverse page.}

 

 

 

ENVIRONMENTAL PROTECTION AGENCY
FINANCIAL AND COMPLIANCE AUDIT
For The Year Ended June 30, 2000

EXPENDITURE STATISTICS

FY 2000

FY 1999

Total Expenditures (All Funds)

$377,113,232

$340,228,757

OPERATIONS TOTAL

% of Total Expenditures

$171,313,453

45.43%

$179,224,894

52.68%

Personal Services
% of Operations Expenditures
Average No. of Employees

$53,290,627
31.11%
1,247

$35,708,059
19.92%
1,228

Other Payroll Costs (FICA, Retirement)
% of Operations Expenditures

$16,292,493
9.51%

$9,762,997
5.45%

Contractual Services
% of Operations Expenditures

$72,424,461
42.28%

$44,095,900
24.60%

All Other Operations Items
% of Operations Expenditures

$29,305,872
17.10%

$89,657,938
50.03%

GRANTS TOTAL

% of Total Expenditures

$205,799,779

54.57%

$161,003,863

47.32%

Cost of Property and Equipment

$62,339,108

$29,243,791
SERVICE EFFORTS AND ACCOMPLISHMENTS

(Unaudited)

FY 2000

FY 1999

AIR POLLUTION CONTROL
Title V Permits issued
Facilities inspected
Vehicle emission tests performed


1,127
2,611
1,725,106


582
3,190
2,193,000

LAND POLLUTION CONTROL
Permits issued
Facilities inspected
Cleanup programs:
Federal superfund cleanup (State-lead)
State cleanup projects completed
Leaking Underground Storage Tanks:
Incidents reported
Household Hazardous Waste Collections


718
4,613

3
8

1,397
8


757
4,720

1
6

1,935
7

WATER POLLUTION CONTROL
Permits issued
Facilities inspected
Financial assistance:
Wastewater loans issued
Drinking water loans issued


8,723
1,357

39
27


8,421
1,585

35
28
AGENCY DIRECTOR(S)
During Audit Period: Thomas V. Skinner
Currently: Thomas V. Skinner
 

 

 

 

 

The FY 00 audit plan did not provide for audits of all major systems, and not all planned audits were completed

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A partial draft of the plan was prepared and submitted to the Agency's Security Officer in October 2000

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INCOMPLETE AUDITING OF INTERNAL CONTROL SYSTEMS

Internal Audit has not completed reviews of all the significant internal control systems as required by the Fiscal Control and Internal Auditing Act. (FCIAA)

The FCIAA (30 ILCS 10/2003(2)) requires the Agency to perform audits of major systems of internal accounting and administrative control on a periodic basis so that all major accounting systems are reviewed at least once every two years. FCIAA also provides for special audits of operations, procedures and other activities as directed by the chief executive officer.

We noted that the audit plan for the two years ended June 30, 2000 did not provide for audits of all major systems and that not all planned audits were completed. Additionally, only 2 of 19 special purpose trust funds with significant expenditure/receipt activity were audited during the period.

Incomplete auditing of all major internal control systems increases the risk that significant internal control weaknesses will exist and errors and irregularities may go undetected. (Finding 3, pages 18-19) This finding has been repeated since 1996.

We recommended the Agency complete reviews of all major systems of internal accounting and administrative controls at least once every two years as required by the Fiscal Control and Internal Auditing Act.

Agency officials agreed to make the necessary adjustments in audit coverage to ensure that all significant control systems are audited while continuing to provide management with meaningful reviews of program operations. (For the previous Agency responses, see Digest footnote #1.)

INADEQUATE COMPUTER DISASTER RECOVERY PLAN

The Agency did not have an adequate plan for reacting to information technology disasters.

The Agency has approximately $7 million of computer equipment located at its facilities throughout the State. The computer equipment includes approximately 1,550 microcomputers connected to local area networks (LANs) and three minicomputers.

A partial draft of the disaster plan was prepared and was submitted to the Agency's Security Officer in October 2000. As of our fieldwork end date, there were still five sections of the plan outstanding. Furthermore, the current draft of the plan still did not cover change procedures, test plans, distribution procedures or alternative space issues.

A written and tested disaster recovery plan can greatly assist management in coping with service disruptions resulting from fires, floods, storms, power failures or vandalism that may last from minutes to weeks. (Finding 2, pages 15-17) This finding has been repeated since 1996.

We recommended the Agency continue its efforts to complete its disaster contingency plan and obtain approval for the plan by the end of 2000.

The Agency agreed with our recommendation and states they are in the final stages of developing the outstanding and missing plan sections. Their goal is to complete the plan by March 31, 2001 and complete testing of the plan by June 30, 2001. (For the previous Agency responses, see Digest footnote #2.)

OTHER FINDING

The remaining finding and recommendation is less significant and is being given attention by the Agency. We will review progress towards the implementation of our recommendations during the Agency’s next audit.

Stuart Gresham, Chief Internal Auditor, provided the responses to our findings and recommendations.

AUDITORS’ OPINION

Our auditors state the June 30, 2000 combined financial statements of the Agency are fairly presented in all material respects.

____________________________________

WILLIAM G. HOLLAND, Auditor General

WGH:KAL:pp

SPECIAL ASSISTANT AUDITORS

Our special assistant auditors were Sikich Gardner & Co, LLP.

DIGEST FOOTNOTES

#1 INCOMPLETE AUDITING OF INTERNAL CONTROL SYSTEMS – Previous Agency Responses

1999: Partially accepted. The Agency agrees with the auditors that an effective internal audit program will regularly and thoroughly review "major" systems of internal controls; however, we differ with the auditors on what is specifically required to accomplish this purpose.

The Comptroller's guidance for implementing and administering the Fiscal Control and Internal Auditing Act (FCIAA) identifies eleven transaction/event cycles commonly found in Illinois State agencies. The auditors interpret FCIAA and the Comptroller's guidance to require, without exception, biennial audits of those of the eleven cycles determined to apply to the agency under review.

We disagree with that interpretation.

FCIAA requires the internal audit program to include:

"Audits of major systems of internal accounting and administrative control conducted on a regular basis so that all major systems are reviewed at least once every 2 years" [30 ILCS 10/2003(2)]

Since no specific systems of internal control are named, the wording, in our opinion, gives the Agency latitude to identify the internal control systems that are of the most significance to its operations and responsibilities. Further, the Comptroller's guidance on internal auditing states:

"The purpose of this section is to help agency chief executive officers identify the major event/transaction cycles and associated control objectives that need to be considered when performing internal reviews. The list is neither all-inclusive nor mandatory. Agencies will probably operate transaction/event cycles not included on the list and certainly not operate all cycles included in the list. Also, all internal control objectives may not be appropriate for a particular situation." [CUSAS 02.50.20 page 1 of 11, emphasis added]

We believe that our major systems of control are those necessary to carry out the programs assigned to the Agency by the General Assembly. For IEPA, we have broadly defined three major transaction/event cycles based on programmatic functions or activities: permit issuance, inspection and monitoring of compliance with environmental laws, and initiation of enforcement actions when non-compliance is found. Internal audit review of the administrative control systems inherent in these transaction/event functions assures effective management of activities related to overall program accomplishment. Due to their importance, our internal audit program places considerable emphasis in reviewing administrative controls established for these major programmatic transaction/event functions in the Water, Land and Air pollution control programs.

Audits of these programmatic functions routinely involve testing of many of the elements of the traditional transaction/event cycles: organization and management, administrative support, purchasing, expenditures, contracts, revenues and receivables, data processing support and other common systems of control.

We also rely on work of the external auditors who routinely test the eleven common systems during every audit. If external audit findings indicate a problem in one of the common systems of control, we initiate an internal audit. Conversely, if the external auditors do not identify any control weaknesses, we believe that redundant coverage is unnecessary and a waste of audit resources.

This approach is supported by FCIAA which empowered the Internal Audit Advisory Board to adopt professional standards for Illinois State Government internal auditors. The Board adopted the standards of the Institute of Internal Auditors.

Standard 550 states:

"…[the] director of internal auditing should coordinate internal and external audit efforts."

Standard 550.01.3 states:

"In coordinating the work of internal auditors with the work of external auditors, the director of internal auditing should ensure that the work to be performed by internal auditors in fulfillment of Standard 300 [Scope of Work] does not duplicate the work of the external auditors which can be relied on for purposes of internal audit coverage. To the extent that professional and organizational reporting responsibilities allow, internal auditors should conduct examinations in a manner that allows for maximum audit coordination and efficiency."

We believe that the effectiveness of our internal audit program speaks for itself both as evidenced by the decline in external audit findings over the past decade and in the successful programmatic improvements that have resulted from our approach to the review of systems of administrative control.

AUDITORS' COMMENT

We do not accept the Agency's position. The requirements of the law are clear. The State Comptroller's guidance for implementation of the Fiscal Control and Internal Auditing Act lists eleven major review categories. These eleven categories are all essential areas of internal accounting and administrative control. Unless EPA can demonstrate that one or more of these areas is missing in its operations, the Agency should comply with the law and review them all at least once every two years.

1998: Accepted. We will continue to make the necessary adjustments in audit coverage to ensure that all significant control systems are audited while continuing to provide management with meaningful reviews of program operations.

1996: Accepted. The audit report states that Internal Audits did not perform adequate reviews of the personnel/payroll and property control systems during the two-year audit period. This finding is based on the fact that five audits of control systems were begun but not completed during the audit period. It is not unusual that some internal audits would span external audit periods. The Agency believes that the audits of our personnel/payroll and property control systems, although not completed by the end of the audit period, nevertheless met the requirements of FCIAA. In fact, corrective action had begun in FY96 based on those audits in progress, as problem areas were identified. Such corrective action is reflected, for example, in our response to Finding #6, relative to property control. Although we disagree with this finding with regard to exactly what is required under FCIAA, we will make every effort to comply with the recommendation in the future.

#2 INADEQUATE COMPUTER DISASTER RECOVERY PLAN – Previous Agency Responses

1999: Accepted. The Agency intends to build on our Y2K contingency planning efforts to develop an effective disaster recovery plan. Y2K required a complete review of our computer operations, including applications, hardware, and network infrastructure. We are looking at various software packages that will walk us through the disaster recovery planning process and will enable us to take full advantage of the information already gathered for Y2K. We plan to have a disaster recovery plan by September 1, 2000.

1998: Accepted. The Agency has been reviewing its use of information technology. As a result of that review, all network servers are being centralized into a single computer room to provide efficiency of operations, automated backup, and adequate physical and network security. With the completion of the centralization process, the disaster recovery process will be restarted and a disaster recovery plan should be completed and tested by December 31, 1999.

1996: Accepted. The Disaster Recovery Plan is being updated and expanded to include LAN-based applications. The updated plan will be tested upon completion and will be reviewed and updated annually.
  • The responsibility for updating the current Disaster Recovery Plan has been assigned to the Agency Security Officer to be completed by July 1, 1997. The updated plan will cover LAN-based systems. As of February 1, 1997, she has developed a work plan and an outline for the new Disaster Recovery Plan, and has begun to gather data on Agency systems.
  • The agreement with the Agency’s minicomputer vendor has been reviewed. In view of the Agency’s decision to upgrade the Laboratory Information Management System on a LAN-based platform, it has been determined that it will be more cost effective to redesign the remaining applications on the minicomputers than to maintain an agreement for a hot-spare. Redesign of these systems will proceed as staffing allows.
  • The Agency Security Officer is a member of a DCMS committee working on establishing a LAN recovery site at the State Fairgrounds. This site will allow the Agency to reestablish its LAN-based network and applications after a disaster and will replace the previously proposed work site at the Illinois Department of Public Aid.
  • Personnel changes, addresses, and phone numbers will be updated as part of the revision of the Agency Disaster Recovery Plan.
  • It is the responsibility of the Security Officer to review the plan annually, supervise testing, and update the plan as needed.