REPORT DIGEST

DEPARTMENT OF EMPLOYMENT SECURITY

FINANCIAL AUDIT
FOR THE YEAR ENDED: JUNE 30, 2012

Release Date:   February 6, 2013

Summary of Findings:
Total this audit: 2
Total last audit:  1
Repeated from last audit: 1

State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E.
Ash Street, Springfield, IL 62703
(217) 	782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also available on
the worldwide web at www.auditor.illinois.gov

INTRODUCTION

This report covers our financial audit of the Department
of Employment Security’s Non-Shared Funds for the years
ended June 30, 2012.  A State compliance examination
covering the two years ended June 30, 2013 will be
performed next year.

SYNOPSIS

• The Department had inadequate controls over the
security and use of Super IDs.

• The Department did not properly account for unapplied
credits relating to unemployment tax contributions
received from other State agencies and component units,
totaling $4.9 million.

• In July 2009 the State of Illinois began receiving
repayable advances from the Federal Government for the
Illinois Unemployment Compensation Trust Fund.  At June
30, 2012, this amount totaled approximately
$1,138,264,000.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE CONTROLS OVER COMPUTER SECURITY

The Department of Employment Security (Department) had
inadequate controls over the security and use of Super
IDs.

The Information Services Division (ISD) is responsible
for the development and maintenance of the Department’s
information systems and for preserving the integrity and
security of information warehoused within those systems.
The Department processed approximately $3.2 billion in
employer unemployment tax revenue contributions and
$5.04 billion of unemployment benefit payments in fiscal
year 2012.

During the audit period we found that ISD programmers
were sharing and using Super IDs generally on a weekly
basis and sometime multiple times in one day, on a non-
emergency basis in the production environment for
resolving transactional or application-related problems
that occurred during the regular day or at night batch
processing. The Super ID is necessary to fix production
problems when production control staff is not available
and to fix data errors directly to the production
environment.  Since the Super IDs were shared, the
individual accountability over its use was limited.

A log of the use of the Super ID and approvals is
maintained; however, there is no documented approval
(pre or post) by the data owner on the use of the Super
ID, nor is there a formal notification and user
acceptance of the resolutions performed.  Only the ISD
Manager of the programmer signs the approval form.
Furthermore, transaction logs that documented the use of
the Super ID were not descriptive enough to show the
actual transaction codes that were executed, or the
tables or files that were accessed to provide audit
trails.  Therefore, there is no assurance that only
authorized and appropriate modifications were made to
the production data.

The use of the Super IDs increases the risk of
unauthorized access to systems and data which could
jeopardize the integrity of the Department’s resources.
Programming staff should generally be limited to
accessing only the information specifically required to
complete their assigned system development projects.
Furthermore, Department policy stated that the use of
the Super ID should be limited to resolution of
production problems when the Production Control Unit
staff is either not scheduled or unavailable. (Finding
1, Pages 41-43) This finding was first reported in 2008.

We recommended that the Department allocate the
resources necessary to correct day-to-day transactional
and applications-related information systems problems,
without compromising the security of those systems by
over utilizing Super ID access rights. Further, we
recommended that the use of the Super ID be restricted
to emergency uses as required by Department policy.

Department officials accepted the recommendation and
stated that have worked to reduce their reliance on
Super ID. Their goal is to eliminate the use of Super
IDs completely by increasing the skill level of
Department employees working in Information Service
Bureau’s (ISB) Support Services.  (For the previous
Department response, see Digest footnote #1)

IMPROPER ACCOUNTING OF UNAPPLIED CREDITS

The Department did not properly account for unapplied
credits relating to unemployment tax contributions
received from other State agencies and component units,
totaling to $4.9 million.

As of June 30, 2012, the Department had unapplied
refunds payable (presented as part of benefit payments
payable) of about $38 million.  This account consists of
unapplied credits for overpayment made by employers to
the Department due to wage or rate adjustments,
consolidation or deconsolidation of accounts of
companies under common ownership, and erroneous
overpayment.

The unapplied refunds payable is applied by the Benefit
Funding System (BFS)	automatically in the following
taxable quarter when there is tax due from the employer
and the employer did not request a refund.  When the
unapplied credit is applied to a certain taxable
quarter, the Department credits the revenue account in
the books. The Department reviews unapplied credits upon
request of the employers.

During our review of 25 employer accounts with unapplied
credits totaling $11 million (30%), we noted one account
had unapplied credits totaling $4.8 million.  This
account pertains to unapplied credits of a State agency
for unemployment benefits paid to its former employees
from June 2010 through March 2011.  Upon further review,
we noted four State agencies and component units with
unapplied credits totaling $63,000 for benefits paid to
their former employees during various taxable quarters
in 2011 and 2000.

820 ILCS 405/1405 of the Unemployment Insurance Act
states that state entities may elect, instead, in lieu
of paying contributions, to reimburse the Department for
the actual amount of any benefits paid to their former
workers.  Contributions received from state entities
electing to reimburse benefits were considered
reimbursable transactions however, the unapplied credits
were due to the Department’s posting these transactions
under inactive accounts in BFS. (Finding 2, Pages 44-45)

We recommended that the Department implement procedures
to ensure reimbursable transactions and other unapplied
credits relating to State agencies and component units
are properly posted in BFS to ensure that the records
and the financial statements are accurate.

Department officials accepted the recommendation and
stated that the individual posting these receipts in BFS
has been notified and informed of the proper process.

AUDITORS’ OPINIONS

Our auditors stated the financial statements present
fairly, in all material respects, the financial position
of the Non-shared Funds of the Department of Employment
Security as of June 30, 2012, and the changes in
financial position and cash flows, where applicable,
thereof for the year then ended.

WILLIAM G. HOLLAND
Auditor General

WGH:TLK:rt

SPECIAL ASSISTANT AUDITORS

E.C. Ortiz & Co., LLP were our special assistant
auditors.

DIGEST FOOTNOTES
#1 –Inadequate Controls Over Computer Security –Previous
Department Response

We accept the recommendation. Since July of 2011, after
the time of these findings, the Department has worked to
reduce our reliance on Super IDs. We have restricted the
use of these IDs to emergency cases, which occur outside
of regular business hours. Additionally, in August of
2010, we launched our new Unemployment Insurance system,
IBIS. All of the data from our old system, BIS, was
converted at that time and we are currently working on a
plan to decommission the BIS application. Therefore,
issuessurrounding the use of Super IDs to correct BIS
data are no longer relevant.

Our goal is to eliminate the use of Super IDs completely
by increasing the skill level of Department employees
working in Information Services Bureau’s (ISB) Support
Services. We will work with our ISB staff to ensure
Super ID forms provide a more meaningful description
showing the nature of the changes made using the Super
ID, including the actual transaction codes that were
executed, or the tables or files that were accessed. All
of this documentation will continue to be reviewed on a
weekly basis and retained by ISB’s Support Services
manager. Finally, in order to ensure we keep a better
audit trail of Super ID usage, we will implement a new
policy that only night shift Computer Room supervisors
have access to Super ID passwords. Staff needing to use
a Super ID will need to call the Computer Room
supervisor for the password before making any
modifications. All calls to the Computer Room are
currently logged and retained.