REPORT DIGEST DEPARTMENT OF TRANSPORTATION COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2020 Release Date: October 7, 2021 FINDINGS THIS AUDIT: 12 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 5 -- 7 -- 12 Category 3: 0 -- 0 -- 0 TOTAL: 5 -- 7 -- 12 FINDINGS LAST AUDIT: 10 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our Compliance Examination of the Department of Transportation (Department) for the two years ended June 30, 2020. A separate Financial Audit as of and for the year ended June 30, 2020 was previously released on June 16, 2021. In total, this report contains 12 findings, 1 of which was also reported in the Financial Audit. SYNOPSIS • (20-2) The Department did not maintain documentation to substantiate the timely inspections of bridges in its database. • (20-6) The Department did not have adequate controls over the administration of State vehicles. • (20-12) The Department had not implemented adequate internal controls related to cybersecurity programs and practices. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO MAINTAIN TIMELY AND ACCURATE INFORMATION ON BRIDGE INSPECTIONS The Department did not maintain documentation to substantiate the timely inspections of bridges in its database. The Department is responsible for ensuring that all highway bridges on public roads in the State are inspected. The Department conducts various types of bridge inspections and we examined the timeliness of routine, special, underwater, and fracture critical member inspections. Routine inspections Using the intervals established by the Department and allowing for the data entry period, according to the Department’s Illinois Structure Information System data, as of July 1, 2020, 152 bridges were potentially overdue for a routine inspection (up from 28 as of July 1, 2018). Of the 152 overdue inspections: • 18 bridges (12%) were listed as the maintenance responsibility of an adjacent state. • 20 bridges (13%) were rated structurally deficient. • Inspections were 91 to 213 days overdue. Special Inspections Of the total 26,669 open bridges the Department is required to inspect or cause to be inspected (i.e. locals), 1,073 were slated for a special inspection totaling 1,133 special inspections. Using the intervals established by the Department and allowing for the data entry period, according to the Department’s Illinois Structure Information System data, as of July 1, 2020, 14 bridges were potentially overdue for a special inspection (down from 27 bridges as of July 1, 2018). Of these 14 bridges with overdue special inspections: • 1 bridge was listed as the maintenance responsibility of an adjacent state. • 12 bridges (86%) were structurally deficient. Underwater inspections Of the total 26,669 open bridges that the Department is required to inspect or cause to be inspected, 516 (2%) were slated for an underwater inspection during the period of July 1, 2018 through June 30, 2020. Using the intervals established by the Department and allowing for the data entry period, according to the Department’s Illinois Structure Information System data, as of July 1, 2020, 4 bridges (1%) were potentially overdue for an underwater inspection (down from 7 as of July 1, 2018), all of which were local and, specifically, the maintenance responsibility of an adjacent state. The Department has not received inspection reports from the responsible adjacent states indicating the last inspection date. Fracture Critical Inspections Of the total 26,669 open bridges that the Department is required to inspect or cause to be inspected, 471 (2%) were slated for a fracture critical inspection during the period of July 1, 2018 to June 30, 2020. Using the intervals established by the Department and allowing for the data entry period, according to the Department’s Illinois Structure Information System data, as of July 1, 2020, 9 bridges (2%) were potentially overdue for a fracture critical inspection (decrease from 11 as of July 1, 2018), consisting of 11 total components. Of these 9 bridges with overdue fracture critical inspections: • 7 bridges (78%) were listed as the maintenance responsibility of an adjacent state. • 2 bridges (22%) were rated as structurally deficient. (Finding 2, pages 16-19) This finding was first reported in 2014. We recommended the Department ensure bridge inspections are conducted and documentation is maintained to substantiate the inspections are completed within allowable intervals established by Federal regulations and Department policy. We also recommended the Department follow-up with adjoining states where they have not received reports to determine why an inspection has not been completed or obtain the reports and ensure the Illinois Structure Information System data is updated. Department officials stated they plan to address the issues noted. INADEQUATE CONTROLS OVER THE ADMINISTRATION OF STATE VEHICLES The Department did not have adequate controls ensuring the proper completion of motor vehicle trip tickets, the reporting of vehicle accidents to the Department of Central Management Services (CMS), the maintenance of State vehicles, calculating the fringe benefits to employees for personal use of assigned State vehicles, and ensuring all employees assigned a State-owned vehicle were duly licensed and insured. During testing, some of the more significant issues noted by the auditors are as follows: • 10 of 60 (17%) vehicles tested had trip tickets that did not contain a supervisory approval. • 3 of 60 (5%) vehicles tested were missing vehicle trip tickets. • 18 of 40 (45%) vehicles tested did not have routine oil changes performed on a timely basis. These vehicles were driven from 84 to 5,154 miles after an oil change was required. One of the vehicles had no record of any oil changes being performed in one of the fiscal years tested. • Five of 40 (13%) employees assigned a State vehicle tested, failed to submit the annual liability and licensure certification. Additionally, we noted 3 of 40 (8%) employees tested submitted the certification from 35 to 178 days late. (Finding 6, pages 25-27) This finding was first reported in 2007. We recommended the Department continue to develop and implement procedures which create stronger controls over its vehicles. We also recommended the procedures encompass the responsibilities incumbent upon employees at both the District and Central Office levels if they utilize Department vehicles and address compliance, recordkeeping, maintenance, and accountability. We further recommended the Department ensure employees and individuals utilizing State vehicles are properly trained on the related procedures, rules, and regulations. Department officials agreed with the recommendations. WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES The Department had not implemented adequate internal controls related to cybersecurity programs and practices. During our examination of the Department’s cybersecurity program, and practices, we noted the Department had not: • Established a risk management methodology. • Performed a comprehensive risk assessment to identify and ensure adequate protection of information (i.e. confidential or personal information) most susceptible to attack. • Developed a formal, comprehensive, adequate, and communicated security program (policies, procedures, and processes) to manage and monitor the regulatory, legal, environmental and operational requirements. • Established a process to review and ensure security incidents identified by the Department of Innovation and Technology (DoIT) involving the Department’s systems or data were fully remediated and related vulnerabilities were assessed. In addition, we reviewed user access rights for six applications, noting: • 6 of 15 (40%) new hires tested did not have documentation of an approved request for access. • 10 of 30 (33%) terminated employees tested did not have their access timely revoked. We also noted the Department had not conducted a review of access rights for the 2 of 6 (33%) applications sampled. Further, the Department’s Access Provisioning Policy did not have a requirement for review of user access. (Finding 12, pages 37-38) We recommended the Department: • Establish a risk management methodology. • Perform a comprehensive risk assessment to identify and ensure adequate protection of information (i.e. confidential or personal information) most susceptible to attack. • Develop a formal, comprehensive, adequate, and communicated security program (policies, procedures, and processes) to manage and monitor the regulatory, legal, environmental and operational requirements. • Establish a process to review and monitor security incidents identified by DoIT involving the Department’s systems or data to ensure incidents were remediated and related vulnerabilities were assessed. • Update the Access Provisioning Policy to require periodic access reviews and conduct reviews. • Revoke access timely after determining access is no longer required. • Maintain documentation of access request approvals. Department officials agreed with the recommendation. OTHER FINDINGS The remaining findings pertain to lack of census data reconciliation, inadequate controls over employee overtime, statements of economic interest, personal services, and accounts receivable, failure to control outdoor advertising, noncompliance with reporting requirements, adoption of the H + T Affordability at Metropolitan Planning Organizations, and weaknesses regarding change management process. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. AUDITOR’S OPINION The auditors stated the financial statements of the Department as of and for the year ended June 30, 2020, are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants stated the Department complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by Clifton Larson Allen LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:PH