|
INTRODUCTION
This report presents our financial audit and State
compliance examination for the year ended June 30, 2006.
FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS
NEED TO IMPROVE CONTRACT
FILING TIMELINES WITH THE STATE COMPTROLLER
Department did not file all professional
service contracts in excess of $5,000 with the Office of the State
Comptroller in a timely manner. We reviewed ten contractual agreements for
professional services entered into by the Department in FY06 and noted that 4
agreements were filed with the Comptroller 87 to 100 days after execution.
The Illinois Procurement Code requires that whenever a
professional service contract liability exceeds $5,000, a copy of the
contract shall be filed with the State Comptroller within 15 days of its
execution. (Finding 3, page 15)
We recommended the Department file contracts exceeding $5,000
with the Office of the State Comptroller in a timely manner.
Department officials agreed with the finding and
recommendation and indicated a change in personnel resulted in a delay in
processing these contracts.
INADEQUATE COMMODITIES INVENTORY RECORDS
The Department did not have formal commodity inventory policies
or procedures in place as of June 30, 2006.
In addition, the Department does not maintain a perpetual commodity
inventory system that would keep track of the quantity on hand or cost of the
inventory at any point in time.
During FY2006, the Department deemed the
Maintenance Management Information System as being outdated and thus,
discontinued its use as a perpetual inventory system for the purpose of
maintaining perpetual inventory records of highway maintenance items. Instead, the Department performed year-end
commodities inventory counts at each of its locations for use in preparing
its Departmental financial statements.
During the year-end physical inventory,
we performed test counts and noted discrepancies between the inventory counts
and pricing that resulted in an understatement of these test items totaling
$261,519. When extrapolating the
discrepancy over the entire inventory, the valuation resulted in an
understatement of $5.4 million. The
Department was not able to reconcile between the audit test counts and the
Departmental test counts. We also
determined that a number of commodities at different locations were given
equal pricing although commodity costs varied by location.
The Illinois Procurement Code requires agencies to inventory
or stock no more than a twelve month supply of equipment, supplies,
commodities, etc. Each agency is to
periodically review its inventory to ensure compliance with this Section. Additionally, good internal control
requires formal written policies so that inventory can be tracked and
maintained consistently throughout the Department. (Finding 4, pages 16 - 17)
We recommended the Department develop formal inventory
policies and procedures for all Districts/Sites and maintain commodities
quantity and costing records throughout the year. Their procedures should include taking periodic test counts and
reconciling those counts to its commodities records. At a minimum, year-end physical
inventories should be taken and records should be adjusted, where necessary. (This finding has been repeated since
1994.)
Department officials agreed with our recommendation and
indicated that, during FY2006, new protocols to track commodities and perform
year-end inventory counts had been implemented; however, they later found
some staff had misinterpreted the instructions. The staff misinterpretations led to incomplete and inaccurate
inventory counts and valuations in FY2006.
(For previous agency responses see Digest Footnote #1).
INADEQUATE PROCEDURES FOR DISPOSAL OF
CONFIDENTIAL INFORMATION
The Department had not ensured adequate procedures exist for
disposal of documents containing confidential and sensitive information.
We found the Department’s procedures for properly disposing
of confidential information were not adequate and not always enforced.
While performing a walkthrough at the Department’s main
administrative location, auditors discovered confidential, personal, and
sensitive information in recycle bins.
Personal and sensitive information found included:
-
Payroll
reports including names and social security numbers.
-
Employee
timesheets, benefit statements, and bond statements that contained
employee names, dependent names, social security numbers and home
addresses.
The
Personal Information Protection Act requires State agencies to properly
dispose of information. The Act
states, “Any State agency that collects personal data that is no longer
needed or stored at the agency shall dispose of the personal data or written
material it has collected in such a manner as to ensure the security and
confidentiality of the material.”
(Finding 8, pages 22 - 23)
We recommended the Department comply with the Personal
Information Protection Act and establish adequate Department-wide procedures
for properly disposing of confidential information. Once established, the Department should effectively communicate
the procedures to all Departmental personnel, and enforce compliance with its
procedures.
Department officials agreed with our recommendation to
protect, dispose and securely store confidential information. The Department indicated they have
implemented locked, secured containers for confidential information as well
as provided procedures on proper disposal methods. In addition, disposal vendor’s maintenance and disposal
procedures are to be reviewed for compliance with the procedures.
INADEQUATE COMPUTER SECURITY CONTROLS
The
Department had not established controls for securing its computer resources.
The
Department had established computer systems throughout the State in order to
meet its mission and mandates. The
computer systems processes and maintains critical, confidential and sensitive
information.
Our
testing of computer security noted:
·
Outdated IT technology policy.
·
Lack of a complete and accurate listing of servers
used.
·
Servers were not updated with the current vendor
patch levels.
·
An excessive number of users having powerful security
administration authorization.
·
Accounts with no password requirements.
·
Accounts for terminated employees remained active
from two to 14 months after termination.
Without the implementation of adequate controls and
procedures, there is greater risk unauthorized access to Department resources
may be gained and data compromised or destroyed (Finding 9, pages 24 - 25)
We recommended the Department update the Information
Technology Policy to reflect the current environment and address current laws
and regulations. Further, the
Department should strengthen its security parameters by reducing the number
of users with security administration authority, requiring consistent
password requirements for all users, deactivating terminated accounts on a
timely basis, and ensuring servers are patched in a timely manner.
Department officials agreed with the recommendation and state
they have updated the Information Technology Policy to reflect current
environment and address current laws.
Also, as a result of Information Technology consolidation, Central
Management Services (CMS) has taken responsibility for managing servers,
routers, LAN/WAN infrastructure, network policy, backup/archiving functions,
user accounts, email administration, etc.
The Department will continue to work with CMS to establish adequate
controls, policies and procedures over computer security, the baseline
controls for deactivating network accounts, and obtain the information
necessary to ensure security issues are addressed.
INADEQUATE MONITORING OF INTERAGENCY AGREEMENTS
The
Department’s process to monitor interagency agreements was inadequate.
The
Department enters into multiple agreements with other State agencies and
other units of governments. The
purpose of these agreements is to assist the Department in fulfilling its
mandated mission.
During
our testing of four interagency agreements between the Department and the
Governor’s Office of Management and Budget, the following deficiencies were
noted:
·
4 of 4 of the agreements tested were not signed by
all parties before the effective date of the contract. The agreements were signed 125 to 321 days
late.
·
1 of 4 of the agreements (legal services) tested did
not include supporting documentation detailing the methodology used to
determine the allocation percentage for each agency.
·
1 of 4 of the agreements (actuarial review) tested
had made payments totaling $14,185 prior to all parties signing the
agreement.
·
1 of 4 of the agreements (legal services) had
services invoiced prior to the effective date of the agreement.
·
1 of 4 of the agreements (legal services) had a
$1,323 overpayment because the vendor billed for services of individuals not
specified in the contract.
·
1 of 4 of the agreements (actuarial review) had a
$421 departmental overpayment due to an incorrect percentage being applied.
Prudent
business practices require the approval of agreements prior to the effective
date and proper documentation supporting the billing and payment of
services. (Finding 11, pages 28 – 29)
We
recommended the Department ensure all interagency agreements are approved by
an authorized signer prior to the effective date of the agreement. Additionally, the Department should take
the necessary steps to increase monitoring of the billings and expenses and
request refunds where there has been an overpayment.
Department
officials agreed with our recommendation and indicated they will (1) seek
separate agreements, (2) ensure that it is only billed its portion of project
costs, (3) obtain the allocation methodology prior to entering into the
agreement, and (4) obtain more control in monitoring vendor billings.
OTHER FINDINGS
The remaining findings are reportedly being given attention
by the Department. We will review
progress toward implementing these recommendations in our next compliance
audit.
AUDITORS’ OPINION
Our auditors state the basic financial statements of the
Department as of and for the year ended June 30, 2006 are fairly presented in
all material respects.
____________________________________
WILLIAM
G. HOLLAND, Auditor General
WGH:SES:pp
SPECIAL ASSISTANT AUDITORS
BKD,
LLP were our special assistant auditors for this audit.
DIGEST FOOTNOTE
#1 INADEQUATE COMMODITIES
INVENTORY – Previous Agency Response
The
Department agreed with the auditor’s recommendation with regard to improving
the accounting and reporting of its commodity inventory in its prior
findings.
Complete
Department responses to prior findings are available upon request from the
Auditor General’s Office.
|
