REPORT DIGEST DEPARTMENT OF THE LOTTERY COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2019 Release Date: March 3, 2020 FINDINGS THIS AUDIT: 14 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 3 -- 3 -- 6 Category 2: 6 -- 1 -- 7 Category 3: 0 -- 1 -- 1 TOTAL: 9 -- 5 -- 14 FINDINGS LAST AUDIT: 8 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Department’s compliance examination for the two years ended June 30, 2019. A separate digest covers the State Lottery Fund’s financial audit as of and for the year ended June 30, 2019. In total, this report includes 14 findings, four of which were reported in the financial audit. SYNOPSIS • (19-05) The Department did not ensure timely compliance by its Private Manager with obtaining a timely System Organization and Control examination of the Central Gaming System by an Independent Service Auditor for the Trust Services Criteria, a critical piece of attestation evidence. • (19-07) The Department did not maintain adequate internal control over its personal services function. • (19-09) The Department did not exercise adequate control over its State vehicles. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS FAILURE TO OBTAIN TIMELY ASSURANCE OVER THE TRUST SERVICES CRITERIA AND INFORMATION INTEGRITY FOR THE CENTRAL GAMING SYSTEM The Department of the Lottery (Department) did not ensure timely compliance by its Private Manager with obtaining a timely System Organization and Control (SOC) examination of the Central Gaming System (CGS) by an Independent Service Auditor for the Trust Services Criteria (TSC), a critical piece of attestation evidence. During the Department’s transition process from the predecessor Private Manager to the current Private Manager, the Office of the Auditor General (OAG) communicated the need for the Department to ensure it received a SOC 2, Type 2 report from the new Private Manager covering the period it ran the CGS during Fiscal Year 2019. A SOC 2, Type 2 report tests the design, suitability, and operating effectiveness of controls over the CGS against the TSC. As defined by the American Institute of Certified Public Accountants, the TSCs cover the following five critical areas: 1) Security The system and information within are protected against unauthorized access, disclosure, and damage that could compromise the availability, integrity, confidentiality, and privacy of the information or systems that could affect the ability of the control objectives. 2) Availability The system and information are available for operation and use to meet the control objectives, including the availability of information used by the entity and of the services provided to customers. Availability addresses where the controls support accessibility for operation, monitoring, and maintenance. 3) Processing Integrity Processing integrity addresses whether the system achieves the purpose for which it exists, including that system processing is valid, accurate, complete, timely, and authorized to meet the control objectives. Further, processing integrity addresses whether the system functions as intended in an unimpaired manner, free from errors, delays, omissions, unauthorized manipulation, and inadvertent manipulation. 4) Privacy Personal information is collected, used, retained, disclosed, and disposed of in accordance with the control objectives. 5) Confidentiality Confidentiality addresses the ability of the service provider to protect data and information designated as confidential from its initial collection or creation through disposal and removal. Department officials acknowledged the importance of this SOC report, indicating the new Private Manager would be contractually required to obtain a SOC report covering its CGS each fiscal year over the duration of the contract. Ultimately, § 11.7.2 of the Private Management Agreement (PMA) between the Department and the new Private Manager required delivery of the SOC report to the State covering the portion of Fiscal Year 2019 when it operated the CGS no later than September 28, 2019. When the CGS transitioned to the new Private Manager on February 18, 2019, the new Private Manager assigned the functions to operate and maintain the CGS to a subcontractor. During this examination, we communicated the importance of obtaining a timely SOC 2, Type 2 report to Department officials. After we became aware the subcontractor was not going to obtain the appropriate SOC report from an Independent Service Auditor, we jointly worked with Department officials to develop a workable scope for the SOC examination and set a mutually-agreeable deadline to receive the SOC 2, Type 2 report by October 15, 2019, which would still have enabled us to timely express our opinion on the Department’s compliance with the specified requirements set by the Audit Guide for Financial Audits and Compliance Attestation Engagements of Illinois State Agencies. In a letter to the Private Manager on August 6, 2019, Department officials communicated (1) the need for a SOC 2, Type 2 report with the change in scope to get a workable report and (2) their expectation the subcontractor should have been aware of this need. As the examination progressed, we became concerned the SOC 2, Type 2 report was not going to be received timely. On October 16, 2019, Department officials informed the OAG they had interacted with the Private Manager and determined the delays were due to the Private Manager’s subcontractor contracting with a firm to perform the examination that did not have sufficient available resources to timely complete both this SOC 1, Type 2 engagement (see Finding 2019-001) and the SOC 2, Type 2 engagement. In response, we had the Department obtain the engagement letter and/or terms of the engagement between the Private Manager and the Independent Service Auditor. We noted the engagement letter between the Independent Service Auditor and the Private Manager’s subcontractor operating the CGS was not written until October 10, 2019, and not executed in writing by all parties until October 15, 2019. Under this agreement, the Independent Service Auditor was not going to start performing its month of testing until December 9, 2019. Further, the Independent Service Auditor was not going to deliver the final report until February 12, 2020. Along with this letter, Department officials provided an undated and unsigned “delivery schedule” showing the testing was going to be conducted from October 21 through November 22, 2019, with the final report delivered on December 21, 2019. The Private Manager’s subcontractor ultimately delivered the SOC 2, Type 2 report signed by the Independent Service Auditor on December 20, 2019, which significantly delayed our completion of this examination. (Finding 5, pages 26-29) We recommended the Department take immediate action to ensure the Private Manager and its subcontractor obtain a SOC 2, Type 2 report for the CGS system covering the State’s fiscal year no later than 45 days after the close of the State’s fiscal year. In addition, we recommended the Department monitor changes to its environment to ensure it receives SOC 2, Type 2 reports for all systems comprising the State’s Lottery operated by service providers. Department officials agreed with our recommendation. INADEQUATE CONTROL OVER PERSONAL SERVICES The Department did not maintain adequate internal control over its personal services function. During testing, we noted the following: • The Department did not include fringe benefits for the personal use of a State vehicle within its Lottery Sales Representatives’ taxable income during the engagement period. These employees extensively use State vehicles when commuting to retailers as part of their full-time job. • During testing of nine separation payments for an employee’s accrued vacation leave, we noted one (11%) employee was underpaid $2,943. We noted the Department erroneously paid out the employee’s 19.8 accrued sick days as opposed to the employee’s 26.8 accrued vacation days. • During testing of 15 employees who should have underwent 27 performance evaluations during the examination period, we noted the following: – The Department lacked documentary evidence six (22%) performance evaluations had been performed when due. – The Department did not conduct 18 (67%) performance evaluations in a timely manner, as they were completed between 32 and 418 days after the final day in the employee’s evaluation period. • During testing of 15 employees, we noted the Department failed to complete Section 2 on one (7%) Employment Eligibility Verification Form (Form I-9), which documents the Department’s review and verification of the employee’s authorization to work in the United States of America. (Finding 7, pages 33-35) We recommended the Department implement controls to ensure: 1) fringe benefits related to its employees’ commuting in State vehicles are either added to each affected employee’s taxable income or each employee provides a reimbursement to the State for the commuting use of the State’s vehicle in strict adherence with IRS regulations; 2) separation pay-outs are correct; 3) all required performance evaluations are conducted timely; and, 4) the original completed Form I-9 is retained in its employees’ personnel files. Department officials accepted our recommendation. INADEQUATE CONTROL OVER STATE VEHICLES The Department did not exercise adequate control over its State vehicles. During testing, we noted the following: • We reviewed the maintenance records for eight vehicles, noting the following: – Four of eight (50%) vehicles tested did not have the vehicle’s odometer reading recorded at the beginning of the examination period. As such, we could not determine whether the vehicle’s periodic maintenance like oil changes and tire rotations were performed timely and we were unable to determine if the vehicle’s use was reasonable and necessary during the examination period. – Two of the eight (25%) tested vehicles did not have an oil change at all during the examination period. For one of these vehicles, the vehicle was driven 9,092 miles over the examination period with an oil change required after one year or 5,000 miles of use. For the other vehicle, the Department lacked records to substantiate its beginning mileage and the vehicle required an oil change after one year or 3,000 miles of use. – The eight tested vehicles had 13 oil changes during the examination period. We noted six of the 13 (46%) oil changes were performed between 954 and 10,975 miles after the vehicle’s specific oil change interval mileage point had been exceeded. – One of the eight (13%) tested vehicles, which required an oil change after one year or 5,000 miles of use, was overdue by for an oil change by 1,388 miles on June 30, 2019. – Four of eight (50%) vehicles tested did not have a tire rotation during the examination period. – Four of eight (50%) vehicles tested did not have an annual inspection during the examination period. • One of five (20%) vouchers tested, totaling $11,392, included two purchases of fuel, totaling $68, where purchases were made outside of normal working hours on the weekend when the employee was not working overtime and had not received approval to make the purchase outside of normal business hours. We noted the Department had not identified these two deviations and determined the reason for the deviations prior to our review of the fuel invoice. (Finding 9, pages 39-41) We recommended the Department implement controls to provide assurance its vehicles are appropriately maintained in accordance with State regulations and CMS directives. Further, we recommended the Department enforce its policies prohibiting the use of the State’s vehicles outside of regular business hours without the approval of the Director or the Director’s designee. Department officials agreed with our recommendation. OTHER FINDINGS The remaining findings pertain to ineffective oversight of the evaluation team selecting the new private manager, inadequate controls over contractual services and reporting requirements, weaknesses regarding the security and control of confidential information, weaknesses with Payment Card Industry Data Security Standards, system access, and noncompliance with requirements regarding the Lottery Control Board. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2019, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Findings 2019-001 through 2019-003, 2019-005, and 2019-006. Except for the noncompliance described in these findings, the accountants stated the Department complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:djn