INTRODUCTION
The 1997 audit of the Illinois Department of Public
Health is presented in two parts. The compliance part,
with our findings and recommendations, as well as Federal
Single Audit disclosures, is presented in one document.
The financial part, with the opinion on the Department's
financial statements is presented in a separate document.
FINDINGS, CONCLUSIONS AND
RECOMMENDATIONS
NONCOMPLIANCE WITH THE FISCAL CONTROL AND INTERNAL
AUDITING ACT (FCIAA)
The Department's internal audit program does not meet
statutory requirements of the Fiscal Control and Internal
Auditing Act (FCIAA) (30 ILCS 10/1000-3004). During our
audit we noted the following:
- four internal audits were performed during the
two year period, which fell short of the FCIAA
requirement that all major systems be reviewed at
least once every two years;
- the chief internal auditor did not submit a
written report to the Director detailing how the
audit plan for that year was carried out, the
significant findings generated from internal
audits performed, and the extent to which
recommended changes were implemented; and
- the Department had not implemented procedures
and/or a program within the internal audit area
to review the design of major new electronic data
processing systems and major modifications of
those systems before their installation to ensure
the systems provide for adequate audit trails and
accountability.
According to Department personnel, these conditions
were caused by a lack of sufficient staff in the Division
of Audits and a concentration of efforts by internal
auditors in other areas. (Finding 1, page 32) This
finding has been repeated since 1987.
Department officials concurred with our recommendation
to strengthen its internal audit program by allocating
sufficient resources to its Division of Audits to allow
statutory compliance and adherence to the FCIAA Act. (For
previous Department responses see digest footnote number
1.)
CONTROLS OVER LOCAL AREA NETWORKS (LANs)
The Department had not established adequate controls
related to its local area computer networks (LANs). We
noted the following weaknesses:
- some of the networks' software security features
had not been activated;
- security administrators and others with high
access privileges were not required to change
their passwords;
- a number of users had not accessed the LANs in
the last nine months.
In addition, LAN policy and procedures were in draft
form, and no disaster contingency plan existed for the
LANs.
Some of the weaknesses appear to be an oversight of
the network administrator when moving to a different
version of LAN software. Other weaknesses are due to the
Department's position that the items are very low risk.
Without the implementation of adequate controls and
procedures for the LANs, there is a greater risk that
unauthorized access to Department resources may be gained
and data destroyed. Once established, compliance with
developed security procedures must be monitored to
protect Department assets. (Finding 2, page 34) This
finding has been repeated since 1993.
Department officials concurred with our recommendation
to: 1) develop policies and procedures to ensure controls
are adequately addressed on the Department's LANs, and 2)
change the default settings for security standards such
as password length and password change intervals on the
various servers to meet minimum requirements, making the
default settings more standardized. (For previous
Department responses see digest footnote number 2.)
FIXED ASSET REPORTING
The Department identified discrepancies between what
was recorded on its fixed asset inventory records and
what it actually had per its physical inventory of
assets. Inventory reports contained fixed assets that had
been identified in discrepancy reports as missing,
scrapped on site, stolen, or transferred to Central
Management Services (CMS) surplus. Per comparison of the
physical inventory to the Department's fixed asset
records, the Department could not locate various items of
office equipment with a cost of $753,363 and $1,059,176
in fiscal years 1996 and 1997 respectively. (Finding 4,
page 39)
Department officials concurred with our recommendation
to investigate discrepancies noted during the physical
inventory, in order to maintain and accurately report
fixed asset detail and to safeguard Department fixed
assets.
REPORTING REQUIREMENTS
There are various reporting requirements established
by State statutes applicable to the Department. Based
upon our review of a sample of these statutes the
following exceptions were identified:
- Report on Hepatitis Viruses - 20 ILCS 2310/55.36
requires a report to be submitted to the General
Assembly by March 1 of every odd-numbered year
regarding research and development in preventing
the transmission of and isolating hepatitis
viruses. The March 1, 1997 report was not
submitted. Department personnel indicated that
the circumstances that gave rise to this
reporting requirement no longer exist.
- Report by Advisory Committee on Primary Care
Medical Education - 20 ILCS 4022/35 requires the
Advisory Committee on Primary Care Medical
Education to file an annual report with the
Governor and the General Assembly by May 1, 1997
and every year thereafter. The May 1, 1997 report
was not filed. Department personnel indicated the
Committee is still in the process of working on
an annual report.
- Evaluation of Nurses Scholarship and
Baccalaureate Nursing Assistance Program - 110
ILCS 915/9 requires the Nurses Scholarship and
Baccalaureate Nursing Assistance Advisory Council
to make and publish an evaluation of the program
at least once every five years. Department
personnel indicated funding for this program was
eliminated during fiscal year 1993, and,
therefore, no evaluations were performed.
- Report of Advisory Panel on Minority Health - 20
ILCS 2310/55.62a requires the Advisory Panel on
Minority Health to submit an interim report to
the Governor and the General Assembly on or
before January 1, 1997. The interim report was
not submitted until August 11, 1997. Department
personnel indicated the report was not submitted
timely because the Advisory Panel was still in
the process of being appointed.
- Report on Areas of Health Hazards - 30 ILCS
405/4a requires the Director by October 1 of each
year to comprise and submit to the director of
the Environmental Protection Agency (EPA) a list
of areas in the State where a health hazard
exists because of inadequate sewage treatment
facilities. Per the Department, the last list
submitted was dated December 17, 1992. In
December 1992 the Department notified the EPA
that due to severe budget cuts the Department
would no longer be performing health hazard
surveys and would no longer submit the health
hazard priority list. (Finding 7, page 46)
We recommended the Department allocate staff and
resources necessary to ensure the mandates applicable to
the Department are complied with or pursue legislation to
have the mandates rescinded.
Department officials concurred with the finding and
recommendation and stated they will seek legislative
relief where appropriate or employ administrative means
to ensure remedial action is taken.
SUBRECIPIENT MONITORING
During our testing of six subrecipients we noted that
the Department was unable to reconcile the federal funds
passed through to 2 subrecipients to the subrecipient's
records of such funding in its audited financial
statements. These two subrecipients received $35,521,687
of funds through the Department. According to Department
personnel, the Department requested additional
information from the subrecipients to complete the
reconciliations, but had not received it.
Department audit procedures for federal programs of
subrecipient funds indicate that desk reviews should
include a completed reconciliation of federal funds
passed through to subrecipients. Failure to perform all
required reconciliations may allow for the misuse of
federal funds. (Finding 12, page 53)
Department officials concurred with our recommendation
to follow its procedures and perform a reconciliation
between the Department's records and those of its
subrecipients.
OTHER FINDINGS
The remaining findings are less significant due to the
attention given them by Department management during the
audit period. We will review progress toward
implementation of our recommendations during our next
audit.
Mr. Darrel Balmer, Chief Internal Auditor, provided
the Department's responses to our findings and
recommendations.
AUDITORS' OPINION
Our auditors report the financial statements of the
Illinois Department of Public Health for the years ended
June 30, 1996 and 1997 are fairly presented.
_____________________________________
WILLIAM G. HOLLAND, Auditor General
WGH:RPU:pp
SPECIAL ASSISTANT AUDITORS
Our special assistant auditors for this audit were
Kerber, Eck & Braeckel LLP
DIGEST FOOTNOTES
#1 NONCOMPLIANCE WITH THE FISCAL
CONTROL AND INTERNAL AUDITING ACT (FICAA) -Previous
Department Responses.
1995: "The Department concurs with
the finding and recommendation. The Division of Audits
has made progress in meeting the goals and objectives
established in the two year audit plan. However, due to
lack of adequate resources, all of the requirements of
the Fiscal Control and Internal Auditing Act have not
been met. The Division will continue to strive to meet
the statutory mandates and as additional funding is made
available further improvements can be expected. In regard
to the lack of required audit work relative to the EDP
systems, the Department has hired an Information Systems
Auditor."
"The Department will examine the
feasibility of reassigning the program monitoring
function within its current organizational pattern."
1993: "The Department concurs with
the finding and recommendation. The Division of audits
has made progress in meeting the goals and objectives
established in the two-year audit plan. However, due to
lack of adequate resources, all of the requirements of
the Fiscal Control and Internal Auditing Act have not
been met. The Division will continue to strive to meet
the statutory mandates and as additional funding is made
available further improvements can be accomplished."
"The Department will examine the
feasibility of reassigning the program monitoring
function within its current organizational pattern."
1991: "The Department concurs with
the finding and recommendation. The Divisions inability
to meet all of the requirements of the Fiscal Control and
Internal Auditing Act are attributable to the factors
mentioned below and key vacancies within the Division
during a major portion of the audit period. "
"With the filling of two key
positions, the Division of Audits anticipates that
additional progress will be achieved in meeting the goals
and objectives established in the Division's two year
audit plan."
"While the Department acknowledges
that the internal audit function did not fully meet the
requirements of the Fiscal Control and Internal Auditing
Act, several notable accomplishments were realized during
the current audit period. Foremost among these, was the
successful, yet time-consuming, implementation of the
certification requirement of Article 3 of the Fiscal
Control and Internal Auditing Act. The Division of Audits
assumed the responsibility for implementing and
coordinating this effort." (Response continues
outlining areas in which the internal audit functions has
improved.)
1989: "The Department concurs in
the finding and recommendation. The finding correctly
states that the emphasis during the audit period has been
on developing the foundation for an effective program of
internal auditing. The groundwork has now been laid with
the development of a two year audit plan and an audit
procedures manual. We have also pursued an aggressive
program of staff professional development. The division
has experienced significant staff variances that have
inhibited the quality and quantity of work necessary to
meet the statutory requirements of the Internal Auditing
Act." (Response continues with an explanation
concerning changes that are anticipated to be made in the
Internal Audit area).
1987: "The Department concurs in
the finding and recommendation. Several changes have
occurred within Audit Operations which address some of
the concerns and recommendations cited." (Response
continues with an explanation concerning changes made in
Audit Operations).
#2 INADAQUATE CONTROLS
OVER LOCAL AREA NETWORKS (LANs) - Previous Finding
Responses
1995: "The Department concurs with
the finding and recommendation. As indicated, the
Department has experienced a rapid growth in the LAN area
over the last several years. In an effort to strengthen
the Department's LAN support and controls, the Division
of Data Processing has been undergoing a minor
reorganization which will allocate additional resources
to the LAN environment. A new Network Management position
has been created to address our LAN support. Also, a new
security administration position has been created which
will address the security weaknesses in our LAN controls.
One of the first assignments of the security
administrator will be to strengthen our computer network
controls."
1993: "The agency concurs with the
finding and recommendation. The agency has seen an
enormous growth in the number and complexity of local
area networks in the last four years. This, coupled with
staffing reductions, has created a situation where the
existing staff must primarily focus on the day to day
support of the networks that deliver critical application
services."
"The agency will allocate
resources to address potential weaknesses by developing
standard security guidelines and parameters.
Standardization of parameters for password length, grace
logins, password change intervals and others have already
been implemented."
|
