DEPARTMENT OF STATE POLICE FINANCIAL AND COMPLIANCE AUDIT Summary of Findings:
Release Date: WILLIAM G. HOLLAND To obtain a copy of the Report contact: This Report Digest is also available on |
SYNOPSIS
|
DEPARTMENT OF STATE POLICE
FINANCIAL AND COMPLIANCE AUDIT
For The Two Years Ended June 30, 1998
EXPENDITURE STATISTICS | FY 1998 |
FY 1997 |
FY 1996 |
|
$273,331,066 $272,331,703 $152,217,338 $20,161,024 $13,480,505 $86,472,836
$195,065,370 |
$252,463,399 $251,458,804 $144,247,183 $18,245,563 $12,890,034 $76,076,024
$185,419,381 |
$233,328,902 $223,029,895 $135,221,377 $16,845,455 $12,874,420 $58,088,796
$163,597,972 |
SELECTED ACTIVITY MEASURES | FY 1998 |
FY 1997 |
FY 1996 |
Sworn Officers | 1,908 |
1,980 |
1,825 |
IL Vehicle Code Citations | 394,827 |
363,218 |
324,108 |
Motorist Assists | 133,611 |
135,032 |
137,765 |
Arrests | 25,582 |
25,209 |
24,755 |
Cases Opened | 7,799 |
8,733 |
10,273 |
Convictions | 7,471 |
7,325 |
4,849 |
AGENCY DIRECTOR(S) |
During Audit Period: Mr. Terrance Gainer Currently: Mr. Sam Nolen |
The Department has invested about $2 million in computer hardware and software and approximately 800 employees have access to 75 computer networks throughout the State
Inventory levels represent approximately a year and a half supply of uniforms
The Department does not have formal procedures for monitoring account receivable balances
Certain deficiencies continue to exist with disaster recovery plans for LANs and with the fire protection at the Armory building |
FINDINGS, CONCLUSIONS, AND INADEQUATE COMPUTER CONTROLS OVER LOCAL AREA NETWORKS (LANS) The Department has not established adequate computer security controls over local area networks. The Department has approximately a $2 million investment in LAN hardware and software. LANs are used to process critical applications and provide access to the Department's mainframe computer system. Recently the Department developed and implemented written policies and procedures for the administration of LANs; however, the Department is not ensuring these policies and procedures are being followed. We also noted two application programmers possessed supervisor access to one of the Department's LANs without the Department establishing compensating controls to allow for this inappropriate segregation of duties. In addition, the Department does not utilize the various tools available to it for monitoring security. (Finding 98-10, pages 24-25) This finding has been repeated since 1992. We recommended the Department implement monitoring procedures to ensure LAN software security features are being properly utilized. Further, the Department should not assign application programmers as LAN Administrator backup personnel or should institute appropriate compensating controls. The Department concurred and stated that it has corrected the specific items found not to comply with current security procedures and will implement safeguards to ensure these items do not occur in the future. In addition, the Department will budget for and purchase security audit software to assist LAN administrators to identify instances of non compliance. Lastly, written policies and procedures will be implemented to provide accountability in regard to network administration access since segregating the duties of the two backup network support individuals is not possible. (For previous agency responses, see Digest Footnote 1.) EXCESSIVE INVENTORY LEVELS The Department of State Police maintains inventories at several locations which consists of uniforms and various operating supplies. At June 30, 1998, the inventory value was about $3 million. Although the Department decreased its inventories by approximately 13% from the prior audit period, these inventory levels represent an approximate one and one-half year supply, which is not in compliance with the Illinois Procurement Code. According to the Department, uniforms, which comprise a large portion of the inventory, must be ordered in large quantities and carried in a variety of sizes. However, we noted that the Department is susceptible to a higher level of risk of loss due to theft, obsolescence or damage as inventory levels increase. Additionally, the existing inventory system is not capable of establishing automated restocking points, thus the supply section is required to assess inventory needs using a manual system. (Finding 98-3, page 16) We recommended the Department continue to reduce existing inventory and establish minimum restocking levels. Also, the Department should consider developing a more cost effective approach for the inventory system. The Department concurred in part and stated that the Central Supply Section is legislatively charged with maintaining an inventory of uniforms, equipment, and hardware for all Illinois State Police officers. An assortment of uniforms is required to be on hand to properly fit officers. INADEQUATE MONITORING AND ACCOUNTING FOR ACCOUNTS RECEIVABLE BALANCES The Department has inadequate procedures for monitoring and accounting for accounts receivable balances. We noted several deficiencies. For example, the Department's accounts receivable subsidiary records for the State Police Services Fund totaled $48,500 greater than the amount reported on the Department's financial statements. The Road Fund receivables are maintained on two different systems, and not all supporting documentation was maintained for both systems. The Department does not maintain formal documentation of follow up attempts in regard to overweight fines, citations, and dispositions. The subsidiary detail for overweight fines included a receivable from one individual for approximately $97,000 which is not possible according to the fines schedule. This balance was the result of a data-entry error. Lastly, the Road Fund receivables totaled approximately $987,000 and $933,000 at June 30, 1998 and 1997. Of these balances, receivables in excess of one year old totaled approximately $670,000 and $640,000 at June 30, 1998 and 1997. (Finding 98-7, page 20) We recommend the Department develop and follow formal written procedures for the monitoring, maintenance and accounting for accounts receivable balances. The Department concurred and stated it will develop and follow written procedures for monitoring accounts receivable balances and will maintain improved documentation for each receivable. LACK OF A DISASTER RECOVERY PLAN FOR LOCAL AREA NETWORKS (LANs) AND INSUFFICIENT FIRE PROTECTION SYSTEM The Department does not have a disaster recovery plan for LANs at locations throughout the State. In addition, the fire extinguishing system for the Information Services Bureau's (ISB) computer operations facility is insufficient. The fire extinguishing system for the entire building is the same and is, likewise, insufficient. The Department has LANs locations throughout the State. All of the LANs have the capability to access the Department's mainframe computer at the Armory, and it is critical that the integrity and security of information maintained on the Department's LANs be protected and that the LANs can be restored in the event of a disaster. The Department has approximately $10 million of computer equipment at a single centralized site utilized for the processing of certain accounting applications as well as the Law Enforcement Agencies Data System (LEADS). However, the Department relies on hand-held Halon fire extinguishers as the means of fire suppression in ISB's computer facility, and the Armory building's fire detection system is comprised mainly of stand alone smoke detectors. Proper physical controls are necessary to ensure that sensitive programs, operating procedures, and valuable computer hardware are safeguarded from hazards. Improper disclosure or destruction of data, or destruction of hardware, would have a devastating effect on the operations of the Department as well as other local and national law enforcement agencies. (Finding 98-9, pages 22-23) This finding has been repeated since 1986. We recommended the Department upgrade the fire protection system for the computer facility and the entire Armory building to provide adequate security against potential loss due to fire damage and develop a written LANs disaster recovery plan. The Department concurred and plans to make necessary changes and additions to the disaster recovery plan. The Department also stated funding and other extenuating circumstances have prohibited the realization of upgrading the fire protection system at the Armory building. (For previous agency responses, see Digest Footnote 2.) OTHER FINDINGS The remaining findings were less significant and are being given appropriate attention by the Department. We will review its progress toward implementing these recommendations in our next audit. AUDITORS' OPINION Our auditors state that the Department's financial statements for the two years ending June 30, 1998 are fairly presented.
WGH:JSC:pp SPECIAL ASSISTANT AUDITORS Our special assistant auditors for this audit were Olive LLP. DIGEST FOOTNOTES #1: INADEQUATE CONTROL OVER LOCAL AREA NETWORKS (LANS) - Previous Department Responses. 1996: "We concur. Due to the pending plan to renovate the Armory, improved fire protection will be included in this effort, contingent upon adequate funding." 1994: "We concur in part. More work needs to be done on LAN security and control. However, the recommendations made by the audit are contrary to those implemented on the mainframe. The LAN and mainframe require similar controls and should be consistent with each other. The need for disaster recovery for LANs is recognized and will be addressed. While ISB (Information Services Bureau) does not currently have a separate security awareness class, security is emphasized in all of the Information Center training classes." (The response then goes on to address the recommendations made in more detail.) 1992: "We concur. ISB will coordinate and manage local area networks (LANs) for ISP. The responsibility will include controlling, installing and supporting LANs as well as security functions." (The response provides further details on plans to implement the recommendations.) #2: LACK OF DISASTER RECOVERY PLAN FOR LOCAL AREA NETWORKS AND INSUFFICIENT FIRE PROTECTION SYSTEM - Previous Department Responses 1996: "We concur. Due to the pending plan to renovate the Armory, improved fire protection will be included in this effort, contingent upon adequate funding." 1994: "We concur. A written disaster recovery plan is in process. ISP will continue to work toward a more complete Armory fire suppression system as funds allow." 1992: "ISP concurs that an alternate processing site should be established. To this end, ISP and CMS are in the process of implementing the capability for ISP to use CMS facilities in the event of a disaster. This capability will include the ability to switch critical communications lines so that processing of officer safety functions will be protected. ISP anticipates conducting a test of this capability by the beginning of FY 94. The intent of ISP is to address the inadequacies of fire protection in three phases as funding becomes available. The first phase will encompass an Armory-wide fire detection system that will alert the fire department when a fire is detected. The second phase will provide for fire suppression in areas that are unmanned in off-hours. The third phase will provide for fire suppression in critical areas that are manned twenty-four hours per day. The greatest risk to the computer facility is a fire that ignites in the Armory and is not detected until too late. In areas that are manned, the risk is less and staff would be able to call for the fire department in a timely fashion. To minimize total risk, fire detection and suppression is needed in all areas of the Armory to protect critical functions." 1990: "We concur with the findings concerning lack of a backup site and inadequate fire suppression in the Data Center. We will continue to seek funding to correct these deficiencies." 1988: "We concur." 1986: "We concur. A formal recovery plan is under development. A Failure Impact Analysis has been completed and recommendations are being prepared, for the Director's approval, on priority for restoring all applications. Funds have been requested in FY90 from the Capital Development Board for FY90 to build a primary data center which would then allow the Armory as a backup site. A complete fire protection system has not been installed due to lack of adequate funds. However, some alternative fire suppression efforts have been made. Since 1984, we have utilized very limited funds to expand heat sensors/fire detectors in the data center, which are monitored by the ISP Command Center. We have also obtained fire-retardant trash containers, and plastic covers to prevent water damage to equipment due to burst pipes." |