REPORT DIGEST DEPARTMENT OF STATE POLICE FINANCIAL AND COMPLIANCE AUDIT (In Accordance with the Single Audit Act and OMB Circular A-133) For the Year Ended: Summary of Findings: Total this audit 11 Release Date: State of Illinois WILLIAM G. HOLLAND AUDITOR GENERAL To obtain a copy of the Report contact: (217)782-6046 or TDD (217) 524-4646 This Report Digest is also available on |
SYNOPSIS
(Expenditure and Activity Measures are summarized on the next page.) |
DEPARTMENT OF STATE POLICE
FINANCIAL AND COMPLIANCE AUDIT
For The Two Years Ended June 30, 1998
EXPENDITURE STATISTICS | FY 1999 |
FY 1998 |
FY 1997 |
$291,446,024 |
$273,331,066 |
$252,463,399 |
|
OPERATIONS TOTAL % of Total Expenditures |
$290,370,114 99.6% |
$272,331,703 99.6% |
$251,458,804 99.6% |
Personal Services |
$169,370,977 |
$152,217,338 |
$144,247,183 |
Other Payroll Costs (FICA, Retirement) |
$29,202,451 |
$20,161,024 |
$18,245,563 |
Contractual Services |
$16,744,395 |
$13,480,505 |
$12,890,034 |
All Other Operations Items |
$75,052,291 |
$86,472,836 |
$76,076,024 |
GRANTS, REFUNDS, IMPROVEMENTS, TOTAL % of Total Expenditures |
$1,075,910
|
$999,363
|
$1,044,595
|
$204,910,259 |
$195,065,370 |
$185,419,381 |
SELECTED ACTIVITY MEASURES | FY 1999 |
FY 1998 |
FY 1997 |
1,980 |
1,908 |
1,980 |
|
409,262 |
394,827 |
363,218 |
|
122,781 |
133,611 |
135,032 |
|
26,334 |
25,582 |
25,209 |
|
8,781 |
7,799 |
8,733 |
|
7,471 |
6,396 |
7,325 |
AGENCY DIRECTOR(S) |
During Audit Period: Mr. Gene Marlin (7/1/98 - 1/15/99),
Mr. Sam Nolen (effective 1/16/99) |
Inadequate system development standards and contract monitoring procedures
Inadequate controls over contracts
$521,000 paid from incorrect fiscal year appropriation
Inadequate controls over Local Area Network (LAN) and mainframe systems
Outdated disaster contingency plans |
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF SYSTEM DEVELOPMENT STANDARDS RESULTING IN INADEQUATE OVERSIGHT AND CONTROL OF COMPUTER SYSTEM PROJECTS The Department had not established system development standards nor contract monitoring procedures to ensure computer system projects are appropriately managed. The lack of standards and procedures resulted in systems being developed and paid for that did not adhere to contractual requirements or meet the needs of the Department. We reviewed four system development projects and identified project management problems with three of the four. One contract had been paid in full although all contract deliverables had not been received. One contract was paid in full for a system the Department could not use. Lastly, one contract was paid although the system was under development for seven years and had not been fully implemented. (Finding 1, pages 13-14) We recommended the Department institute measures to strengthen project management such as developing policies and procedures, implementing a system development methodology and establishing appropriate monitoring mechanisms. Further, the Department should ensure compliance with the established standards and methodology, hold a significant percent of contract amounts until deliverables are complete and/or received, and initiate efforts to recoup contract monies for deliverables not received. Department officials concurred with our recommendation and stated a Quality Assurance Section has been established. In addition, a committee will be assigned to define specific direction in terms of processes, standards and control with a complete action plan developed by March 30, 2000. INADEQUATE CONTROLS OVER BODY SHOP CONTRACTS The Department's Information Services Bureau entered into numerous "body shop" contracts. These contracts, with consultants pre-approved by the Department of Central Management Services, usually specify EDP services for up to a certain number of hours to be completed by a specified date. We noted the following deficiencies:
Prudent business practices require proper internal controls be established to prevent improper expenditures, encourage adherence to legal requirements and prescribed management policies, and ensure the accuracy and reliability of accounting data. (Finding 10, pages 28-29) We recommended the Department only pay for hours actually worked within the contract period, review invoices to ensure only charges authorized under the contract are paid for, and only pay for services performed pursuant to the applicable contract. Further, the Department should develop, implement and periodically monitor management controls designed to ensure the future compliance with applicable purchasing and appropriation rules. Department officials concurred with our recommendation and stated they will develop, implement and monitor management controls that ensure contracts are compliant. The Department also stated a compliance officer has been appointed to oversee this process. IMPROPER FISCAL YEAR EXPENDITURES The Department's Information Services Bureau improperly expended $521,000 of FY99 money for FY98 expenditures in violation of appropriations for the design, development and implementation of a new criminal history application. The contractor billed the Department for services rendered in FY98. However, a contract was not signed until late in June and therefore, the Department requested the contractor change deliverable dates and resubmit the work products for re-acceptance by the Department in FY99. (Finding 11, pages 30-31) We recommended the Department only pay for contracted services and pay for such services out of correct fiscal year appropriations. In addition, we recommended the Department ensure that all billings and billing dates are accurate. Department officials concurred with our recommendation and stated the Information Services Bureau will develop, implement and monitor expenditure controls. INADEQUATE COMPUTER SECURITY The Department had not established adequate security controls over its computer systems. The Department utilizes approximately $6.3 million of computer equipment and has local area networks (LANs) located throughout the State. The Department processes critical applications on the LANs, and LANs provide access to the Department's mainframe computer system from remote sites. The Department has written policies and procedures for personal computers, LAN administration, and information security. However, we determined the Department had not ensured compliance with these policies and procedures. We noted several security weaknesses in both the Department's LANs and mainframe computer systems processes. (Finding 2, pages 15-16) This finding has been reworded and repeated since 1992. We recommended the Department enforce its written policies and procedures for the administration of LANs, mainframes, and for information security. Department officials concurred with our recommendation and stated a policy encompassing these recommendations will be completed by March 30, 2000. (For previous Department responses, see Digest Footnote 1.) DISASTER CONTINGENCY PLAN WEAKNESSES The Department had not updated its disaster contingency plan to include provisions for recovering its entire computing environment, nor performed a comprehensive test of its mainframe, minicomputer, or local area network disaster recovery capabilities. We noted the only disaster contingency procedures tested were associated with the recovery of the mainframe backup tapes at the backup site. A comprehensive disaster recovery test of mainframe systems had not been conducted and the mainframe plan did not state required recovery timeframes for each of the critical applications. In addition, the current backup site did not have sufficient capacity to process all of the Department's critical applications. We also noted a recovery site for the minicomputer applications did not exist and the Department had not taken action to upgrade the fire protection system in the Armory. (Finding 5, page 20). This finding has been reworded and repeated since 1986. We recommended the Department address an enterprise-wide approach to recovering and restoring computer processing in its disaster recovery plans. We also recommended the Department strengthen its disaster recovery capabilities. Department officials concurred with our recommendation and stated a revised plan will be completed by June 30, 2000. (For previous Department responses, see Digest Footnote 2.) OTHER FINDINGS The remaining findings were less significant and are being given attention by the Department. We will review its progress toward implementing these recommendations in our next audit.
AUDITORS OPINION Our auditors state that the Departments financial statements as of and for the year ended June 30, 1999 are fairly presented in all material respects.
____________________________________ WILLIAM G. HOLLAND, Auditor General WGH:JSC:pp
SPECIAL ASSISTANT AUDITORS Our special assistant auditors for this audit were Olive LLP.
DIGEST FOOTNOTES #1: INADEQUATE COMPUTER SECURITY - Previous Department Responses. 1998: "We concur. ISB has corrected the specific items found not to comply with current security procedures and will implement additional safeguards to ensure these specific items do not occur in the future. In addition, the Department will budget for and purchase security audit software that will assist LAN administrators to more easily identify instances of non-compliance. It is not possible to comply with separation of applications development and LAN administration on the two programmers identified in the audit. These two individuals are on-site support people in the Chicago Lab and are used as backup network support. ISB will take additional measures to ensure accountability in regard to network administration access. These measures will be reflected in the written policies and procedures." 1996: "We concur. Due to the pending plan to renovate the Armory, improved fire protection will be included in this effort, contingent upon adequate funding." 1994: "We concur in part. More work needs to be done on LAN security and control. However, the recommendations made by the audit are contrary to those implemented on the mainframe. The LAN and mainframe require similar controls and should be consistent with each other. The need for disaster recovery for LANs is recognized and will be addressed. While ISB (Information Services Bureau) does not currently have a separate security awareness class, security is emphasized in all of the Information Center training classes." (The response then goes on to address the recommendations made in more detail.) 1992: "We concur. ISB will coordinate and manage local area networks (LANs) for ISP. The responsibility will include controlling, installing and supporting LANs as well as security functions." (The response provides further details on plans to implement the recommendations.) #2: DISASTER CONTINGENCY PLAN WEAKNESSES - Previous Department Responses 1998: "We concur with the need for an upgraded fire protection system for the entire Armory building. However, funding and other extenuating circumstances have proved prohibitive in the realization of this initiative. We concur in part with the analysis of the LAN disaster plan. Every LAN application has back-up hardware and software in the event of a disaster. Application staff and Network staff know what needs to be done to recover all of the ISP LAN based applications in the event of a disaster. However, the process for recovery needs to be formalized and committed to policy. ISP will make the necessary changes and additions to the Disaster recover Plan. 1996: "We concur. Due to the pending plan to renovate the Armory, improved fire protection will be included in this effort, contingent upon adequate funding." 1994: "We concur. A written disaster recovery plan is in process. ISP will continue to work toward a more complete Armory fire suppression system as funds allow." 1992: "ISP concurs that an alternate processing site should be established. To this end, ISP and CMS are in the process of implementing the capability for ISP to use CMS facilities in the event of a disaster. This capability will include the ability to switch critical communications lines so that processing of officer safety functions will be protected. ISP anticipates conducting a test of this capability by the beginning of FY 94. The intent of ISP is to address the inadequacies of fire protection in three phases as funding becomes available. The first phase will encompass an Armory-wide fire detection system that will alert the fire department when a fire is detected. The second phase will provide for fire suppression in areas that are unmanned in off-hours. The third phase will provide for fire suppression in critical areas that are manned twenty-four hours per day. The greatest risk to the computer facility is a fire that ignites in the Armory and is not detected until too late. In areas that are manned, the risk is less and staff would be able to call for the fire department in a timely fashion. To minimize total risk, fire detection and suppression is needed in all areas of the Armory to protect critical functions." 1990: "We concur with the findings concerning lack of a backup site and inadequate fire suppression in the Data Center. We will continue to seek funding to correct these deficiencies." 1988: "We concur." 1986: "We concur. A formal recovery plan is under development. A Failure Impact Analysis has been completed and recommendations are being prepared, for the Directors approval, on priority for restoring all applications. Funds have been requested in FY90 from the Capital Development Board for FY90 to build a primary data center which would then allow the Armory as a backup site. A complete fire protection system has not been installed due to lack of adequate funds. However, some alternative fire suppression efforts have been made. Since 1984, we have utilized very limited funds to expand heat sensors/fire detectors in the data center, which are monitored by the ISP Command Center. We have also obtained fire-retardant trash containers, and plastic covers to prevent water damage to equipment due to burst pipes." |