REPORT DIGEST ENVIRONMENTAL PROTECTION AGENCY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2020 Release Date: July 14, 2021 FINDINGS THIS AUDIT: 18 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 9 -- 8 -- 17 Category 3: 0 -- 0 -- 0 TOTAL: 10 -- 8 -- 18 FINDINGS LAST AUDIT: 10 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-2) The Agency did not exercise adequate internal control over its automobiles. • (20-4)The Agency failed to maintain proper controls over personal services. • (20-5) The Agency did not comply with the Grant Accountability and Transparency Act and the Illinois Administrative Code requirements for grant administration and monitoring. • (20-15) The Agency has not implemented adequate practices and controls to protect confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER STATE VEHICLES The Environmental Protection Agency (Agency) did not exercise adequate internal control over its automobiles. As of June 30, 2020, the Agency had 157 vehicles. During testing, some of the more significant issues noted by the auditors are as follows: • The Agency had not performed an analysis of its automobiles to determine whether maintaining each vehicle could be justified as the most cost effective solution for the specific operational needs of the Agency. The auditors analyzed the total activity of the Agency’s 157 vehicles used during Fiscal Years 2019 and 2020. The Agency’s vehicles traveled between 23 and 33,489 miles during Fiscal Year 2019 and between 48 and 33,029 miles during Fiscal Year 2020, with the following charts showing the average monthly vehicle utilization: Further, we noted the following apparently underutilized vehicles during Fiscal Years 2019 and 2020: (See charts in PDF version of this digest.) • The Agency did not ensure its vehicles were properly maintained during the examination period. The auditors reviewed the maintenance records for 37 vehicles and noted the following: – Ten (27%) vehicles tested did not have routine oil changes during the examination period. – Four (11%) vehicles tested received oil changes from 1,065 to 9,825 miles past the allowed oil change interval. – Ten (27%) vehicles tested did not receive tire rotations at the required intervals. – Seven (19%) vehicles tested did not undergo an annual inspection during the examination period. • The Agency did not timely and properly report vehicle assignments to the Department of Central Management Services (CMS). – Five of 14 (36%) employees assigned State vehicles were not reported on the Fiscal Year 2019 Annual Report on Individually Assigned Vehicles submitted to CMS. – The two changes (100%) to vehicle assignments during the examination period were not reported to CMS as required. (Finding 2, pages 14-19) This finding has been repeated since 2014. We recommended the Agency perform an analysis of its automobiles to determine whether each vehicle can be justified as the most effective solution for the Agency’s specific operational needs. We also recommended the Agency review its internal controls over monitoring its fleet to ensure vehicles receive timely maintenance. We further recommended the Agency develop a monitoring process to ensure all employee vehicle assignments and changes are timely and properly reported to CMS. Agency officials agreed with the finding. INADEQUATE CONTROLS OVER PERSONAL SERVICES The Agency failed to maintain proper controls over personal services. During testing, some of the more significant issues noted by the auditors are as follows: • Eight of 40 (20%) employees tested did not have performance evaluations for the evaluation period tested. Additionally, 22 of 40 (55%) employees tested had performance evaluations not completed within the required timeframe. The delinquencies ranged from one to 286 days late. • Five of 40 (13%) employee files tested had missing withholding authorizations for union dues. • For two of 40 (5%) employee files tested, the employer’s section of the Form I-9 was not completed and signed by the Agency’s authorized representative. • For two of eight (25%) employees tested who were on leaves of absence (LOA), the Agency did not pay the employer’s share of group insurance for one and two semi-monthly pay periods. • For 12 of 40 (30%) employees tested, 20 requests for 16 hours of equivalent earned time (EET) and 60 hours of overtime were not properly approved by the supervisors. Documentation showed these requests were approved from two to 13 days after the overtime was worked or the request was submitted. In addition, for 14 of 40 (35%) employees tested, 30 requests for 149 hours of EET and 110 hours of overtime were submitted from two to 21 days after the overtime was worked. This finding has been repeated since 1994. (Finding 4, pages 22-26) We recommended the Agency take appropriate action to ensure performance evaluations are conducted annually and in a timely manner. We also recommended the Agency ensure personnel files contain all required documentation including payroll deduction and withholding forms and completed I-9 forms and obtain missing documents from the employees. We further recommended the Agency develop and implement procedures on monitoring of the monthly reimbursement reports to ensure the employer’s share of group insurance is paid for employees who are on unpaid leave of absence. In addition, we recommended the Agency ensure overtime requests are timely submitted, properly approved in advance, and pre-approval is documented and maintained. Agency officials agreed with the finding. INADEQUATE CONTROLS OVER AWARDS AND GRANTS The Agency did not comply with the Grant Accountability and Transparency Act and the Illinois Administrative Code requirements for grant administration and monitoring. The Agency expended over $707 million (81%) and $591 million (80%) for awards and grants of its total expenditures of approximately $869 million and $743 million during Fiscal Year 2019 and Fiscal Year 2020, respectively. The auditors sampled ten grant programs and selected 40 grant agreements totaling $29,446,057 for testing. During testing, some of the more significant issues noted by the auditors are as follows: • Forty-five of 249 (18%) progress reports tested were submitted to the Agency from 10 to 565 days late. • Thirty-eight of 249 (15%) progress reports tested were not submitted to the Agency by the grantee. • Seventy-eight of 249 (31%) progress reports tested did not have evidence of a review by Agency personnel. • For 29 of 40 (73%) grants agreements tested, the grantees were not in compliance with grant terms and conditions regarding monthly reports, and the Agency did not send notifications to the awardees that payments will be withheld for noncompliance of the grant agreement requirements. In addition, the Agency did not have rules for addressing late financial and performance reports by grantees as required. (Finding 5, pages 27-28) We recommended the Agency strengthen its controls to ensure it timely reviews grantees’ required reports and maintains documentation of those reviews. We also recommended the Agency implement rules and procedures to comply with the Grant Accountability and Transparency Act and the Illinois Administrative Code’s requirements for grant monitoring and grant compliance enforcement. Agency officials agreed with the finding. LACK OF CYBERSECURITY PROGRAMS AND PRACTICES The Agency has not implemented adequate practices and controls to protect confidential information. During our examination of the Agency’s cybersecurity program, practices, and control of confidential information, we noted the Agency had not: • Ensured an appropriate security structure, including responsibilities over cybersecurity, had been established to manage and monitor the regulatory, legal, environmental and operational requirements. • Developed a formal security program (policies and procedures) to ensure its resources and data were adequately protected. • Completed a formal comprehensive risk assessment of its computing resources to identify confidential or personal information to ensure such information is protected from unauthorized disclosure. • Classified its data to identify and ensure adequate protection of information. Additionally, the Agency had not ensured all confidential information was adequately safeguarded through encryption or redaction. • Established a policy for ensuring electronic media is adequately sanitized prior to disposal. • Established a formal policy for granting access to systems and applications, including procedures for documenting access requests and approvals. Our testing noted one of two (50%) users had excessive access rights to an application. (Finding 15, pages 48-49) We recommended the Agency: • Establish an appropriate security structure, including responsibilities over cybersecurity to manage and monitor the regulatory, legal, environmental and operational requirements. • Develop a formal security program (policies and procedures) to ensure its resources and data are adequately protected. • Complete a formal comprehensive risk assessment of its computing resources to identify confidential or personal information to ensure such information is protected from unauthorized disclosure. • Classify its data to identify and ensure adequate protection of information. Additionally, the Agency should ensure all confidential is adequately safeguarded through encryption or redaction. • Establish a policy for ensuring electronic media is adequately sanitized prior to disposal. • Establish access provisioning procedures to ensure requested access is adequately documented and approved and subsequently removed when no longer needed. Additionally, the Agency should review access rights on a periodic basis to ensure access is appropriate. Agency officials agreed with the finding. OTHER FINDINGS The remaining findings pertain to inadequate controls over census data, accounts receivable, monthly reconciliations, refunds and Agency Fee Imposition reporting, voucher processing, and review of service providers; noncompliance with statutory requirements in providing public notices and administrative citation warning notice, the Consumer Electronics Recycling Act, statutory reporting requirements, application and permit requirements, and the Fiscal Control and Internal Auditing Act; statutory task force requirements; and inadequate disaster recovery planning and testing. We will review the Agency’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Agency for the two years ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2020-001. Except for the noncompliance described in this finding, the accountants stated the Agency complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by Roth and Company, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:ph