REPORT DIGEST DEPARTMENT OF STATE POLICE Compliance Examination For the Two Years Ended June 30, 2014 Release Date: April 16, 2015 FINDINGS THIS AUDIT: 11 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 3 -- 8 -- 11 Category 3: 0 -- 0 -- 0 TOTAL: 3 -- 8 -- 11 FINDINGS LAST AUDIT: 14 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (14-1) The Department exercised inadequate control over the recording and reporting of its State property and equipment. • (14-2) The Department did not accurately record and report accounts receivables. • (14-5) The Department failed to maintain adequate security controls over computer systems or safeguards over confidential information. • (14-9) The Department did not exercise adequate controls over voucher processing. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NEED TO IMPROVE CONTROLS OVER PROPERTY AND EQUIPMENT The Department of State Police (Department) did not exercise adequate control over the recording and reporting of its State property and equipment. We noted the following: • 39 of 57 (68%) items listed as lost or missing could possibly have confidential information stored on them. • The Department was unable to reconcile differences totaling $1,287,199 in Fiscal Year 2013 and $675,853 in Fiscal Year 2014. • 40 of 60 (67%) items, totaling $189,282, were added to the Department’s inventory records between 2 and 674 days late. • 15 of 60 (25%) items, totaling $17,233, were deleted from the Department’s inventory records between 31 and 255 days late. • 8 of 66 (12%) vouchers, totaling $148,822, included items that were not added to the Department’s inventory records. • 2 of 60 (3%) items, totaling $1,167, were deleted from Department records; however, the Department did not maintain documentation to support the date items were deleted. • 2 of 60 (3%) purchases, totaling $4,908, did not include documentation of date received. • 5 of 60 (8%) equipment items, totaling $4,092 were not reported with an accurate value on the deletion/transfer document. • 3 of 30 (10%) items were found in a different location than indicated on the equipment listing. (Finding 1, pages 10-12) This finding was first reported in 2002. We recommended the Department develop procedures to immediately assess if a computer may have contained confidential information whenever it is reported lost, stolen, or missing during the annual physical inventory, and document the results of the assessment. We also recommended the Department ensure all equipment is accurately and timely recorded or removed from the Department’s property records. Lastly, we recommended the Department continue to strengthen controls over the recording and reporting of its State property and equipment by reviewing their inventory and recordkeeping practices to ensure compliance with statutory and regulatory requirements. Department management concurred and stated the Department continues to struggle with the effects of the central property control unit being located outside of the agency within the Public Safety Shared Services Center (PSSSC) therefore delaying processing of paperwork as well as removing property control subject matter experts from the agency. (For the previous Department response, see Digest Footnote #1.) INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE REPORTING The Department did not accurately record and report accounts receivable noted on the Quarterly Summary of Accounts Receivable Reports (Reports). During testing, we noted 30 of 112 (27%) Reports were inaccurate and did not agree to the support provided by the Department. We noted differences in accounts receivable amounts (i.e. payments, adjustments, beginning and ending balances). Gross accounts receivable totaled $2,885,000 in Fiscal Year 2013 and $2,848,000 in Fiscal Year 2014. (Finding 2, pages 13-14) This finding was first reported in 2010. We recommended the Department keep accurate and detailed records of all billings and the corresponding collections to facilitate proper reporting of accounts receivable activity. We also recommended the Department strengthen procedures to allocate necessary resources to properly post payments. Department management concurred and stated the accounts receivable reporting is a function of the Public Safety Shared Services Center (PSSSC) and they will continue to work with the PSSSC to ensure accurate and timely reporting of accounts receivable. (For the previous Department response, see Digest Footnote #2.) FAILURE TO MAINTAIN SECURITY CONTROLS OVER COMPUTER SYSTEMS AND CONFIDENTIAL INFORMATION The Department did not maintain adequate security controls over computer systems or safeguards over confidential information. During testing, we noted the Department: • Did not have a mechanism in place to ensure electronically transmitted information was secured or encrypted, other than LEADS information. • Had not completed a risk assessment of its computing resources to identify confidential or personal information to ensure such information was protected from unauthorized disclosure. • Had not deployed encryption software on all laptops. • Did not maintain certification of overwriting or destruction of computers or surplus EDP equipment as required by the Data on State Computers Act. • Had not effectively implemented available security controls. (Finding 5, pages 19-20) This finding was first reported in 2010. We recommended the Department review the policies/procedures for protecting confidential information, focusing on security through proper application security settings, storage, disclosure, redaction, and encryption procedures and install automatic encryption software on all laptops and secure and encrypt confidential data transmitted through the network. We also recommended the Department implement procedures to ensure the certification of overwriting of computers and surplus EDP equipment prior to being sold, donated or transferred and complete a risk assessment to evaluate its computer environment and data maintained to ensure adequate security controls have been established. Lastly, we recommended the Department ensure password security content and change interval settings conform to policy requirements. Department management concurred and stated they will explore possibilities to upgrade software solutions and support resources to strengthen security controls over computer systems and they will work to ensure all Departmental policies regarding security control and safeguards over confidential information are adhered to. (For the previous Department response, see Digest Footnote #3.) VOUCHER PROCESSING WEAKNESSES The Department did not exercise adequate controls over voucher processing. We noted 90 of 310 (29%) vouchers tested, totaling $3,616,776, were approved for payment from 2 to 156 days late. We also noted 7 of 310 (2%) vouchers tested, totaling $338,699, accrued a required interest payment of $4,298 which was not paid by the Department. (Finding 9, page 27) This finding was first reported in 2004. We recommended the Department comply with the Illinois Administrative Code and the State Prompt Payment Act to ensure vouchers are approved within the required time frame and the required interest is paid. Department management concurred and stated the Public Safety Shared Services Center (PSSSC) will continue to work to process vouchers in a timely manner. (For the previous Department response, see Digest Footnote #4) OTHER FINDINGS The remaining findings pertain to: 1) delinquent accounts not pursued, 2) lack of project management, 3) weaknesses in change management of computer systems, 4) inadequate controls over commodities inventory, 5) noncompliance with State Officials and Employees Ethics Act, 6) treasurer drafts not submitted timely, and 7) incorrect GAAP reporting. We will follow up on these findings during our next examination of the Department. ACCOUNTANT'S OPINION We conducted a compliance examination of the Department as required by the Illinois State Auditing Act. The auditors stated the Department complied, in all material respects, with the requirements described in the report. WILLIAM G. HOLLAND Auditor General WGH:jsc AUDITORS ASSIGNED This examination was performed by the Office of the Auditor General’s staff. DIGEST FOOTNOTES #1 NEED TO IMPROVE CONTROLS OVER PROPERTY AND EQUIPMENT – Previous Department Response 2012: The ISP concurs. The ISP will work with the Public Safety Shared Services Center (PSSSC), property managers, and property custodians to ensure paperwork is processed in a timely manner to ensure property is added to inventory within the time allowed. The ISP will also work with the PSSSC to ensure property records are complete and accurate. Furthermore, the ISP will work with the PSSSC to ensure SCO-560 forms are completed in accordance with the SAMS procedures. The ISP property managers and property custodians will be informed of their roles and responsibilities to account for all property as well as disposed of in accordance with all applicable rules and laws. The ISP continues to struggle with the effects of the central property control unit being located outside of the agency within the PSSSC therefore delaying processing of paperwork as well as removing property control subject matter experts from the agency. #2 – INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE REPORTING – Previous Department Response 2012: The ISP concurs. Accounts receivable reporting is a function of the PSSSC. The ISP will work with the PSSSC to ensure reporting is completed accurately and in a timely manner. #3– FAILURE TO MAINTAIN SECURITY CONTROLS OVER COMPUTER SYSTEMS AND CONFIDENTIAL INFORMATION – Previous Department Response 2012: The ISP concurs. Given the nature of the Department’s mission, the ISP is extremely conscious of and very sensitive to the need for adequate security of confidential information. Deployment of encryption technology will be completed as quickly as possible. Migration to new network encryption capabilities will address everything transmitted through the network and address the total encryption requirement. The need for a Departmental-wide risk assessment and compliance with the Identity Protection Act, as well as Department policy must be addressed by the Department. #4 – VOUCHER PROCESSING WEAKNESSES – Previous Department Response 2012: The ISP concurs. The ISP continues to struggle with the effects of reduced staffing, particularly administrative support staff responsible for review and preparation of vouchers for payment. The ISP will work with cost center staff to submit vouchers in a timely manner. In addition, the ISP will continue to work with the PSSSC on the timely approval of vouchers.