REPORT DIGEST INTERMEDIATE SERVICE CENTER #2: WEST COOK FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2017 Release Date: AUGUST 24, 2021 FINDINGS THIS AUDIT: 6 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 1 -- 2 Category 2: 2 -- 1 -- 3 Category 3: 0 -- 1 -- 1 TOTAL: 3 -- 3 -- 6 FINDINGS LAST AUDIT: 6 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (17-1) The Intermediate Service Center #2 did not provide completed financial statements in an auditable form by the August 31 deadline. • (17-2) The Intermediate Service Center #2 did not have adequate internal control procedures. • (17-3) The Intermediate Service Center #2 did not have adequate controls over Procurement card transactions. • (17-4) The Intermediate Service Center #2 did not have adequate controls over payroll. • (17-5) The Intermediate Service Center #2 lacked adequate controls over the review of internal controls over external service providers. • (17-6) The Intermediate Service Center #2 lacked controls over Illinois Municipal Retirement Fund (IMRF) census data. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS DELAY OF AUDIT The Intermediate Service Center #2 (ISC) did not provide completed financial statements in an auditable form by the August 31, 2017 deadline. The ISC is subject to 105 ILCS 5/2-3.17a which requires the Auditor General’s office to cause an audit to be made, as of June 30th of each year, of the financial statements of all accounts, funds, and other moneys in the care, custody, or control of the executive director of each educational service region in the State and of each educational service center established in the School Code. The audit is to be conducted in accordance with Generally Accepted Government Auditing Standards (GAGAS). In accordance with 105 ILCS 5/2-3.17a, the Auditor General has promulgated administrative rules and regulations to govern this process. Those rules, 74 Ill. Adm. Code 420.320 (c) (2), state that for audit purposes, each regional office of education and educational service center shall make available to the Auditor General or his designee all books and records deemed necessary to make and complete the required audits. The records shall be in auditable form by August 15 of the succeeding fiscal year. Financial reports are to be available no later than August 31 in order for the annual audit to be completed by an independent auditor selected by the Auditor General. Annual financial statements are to be prepared on an accrual basis of accounting in accordance with generally accepted accounting principles (GAAP). In addition, prudent business practices and transparency require timely preparation and completion of financial statements. ISC management indicated they incurred key employee turnover which has put them behind in financial reporting. (Finding 17-001, pages 10 – 11) This finding was first reported in 2015. The auditors recommended the ISC should implement procedures to ensure compliance with 105 ILCS 5/2-3.17a and 74 Ill. Adm. Code 420.320 (c) (2). Annual financial statements should be compiled on an accrual basis of accounting in accordance with GAAP and thoroughly reviewed prior to presentation to the Auditor General’s independent auditors for audit by the August 31 deadline. ROE Response: As this writing is occurring in FY21, we expect to see this as an ongoing finding for audits yet to be completed for FY18-20. We have worked with our contracted accountant over the past five years, who has experience with ROE/ISC audits and knows the requirements, to have reports available in a timely manner moving forward. We have also hired a Chief School Business Official (CSBO) who will start work here in July 2021 to address this issue and other findings in this document. INADEQUATE INTERNAL CONTROL PROCEDURES Auditors noted the following weaknesses in the Intermediate Service Center #2’s (ISC) internal control system for which there were no mitigating controls: • 1 out of 12 journal entries sampled during audit testing lacked supporting documentation and 1 lacked supervisory approval. • All transactions were not initially posted directly to the correct funds in the general ledger. Subsequent adjusting entries had to be recorded to reclassify them to the proper fund. • A prior period error was not detected on a timely basis. In fiscal year 2017, the ISC restated its beginning fund balances in the General Fund ($202,897 reduction) and Institute Fund ($202,897 increase). • Rent payments on a facility lease were overpaid by $13,631 based on an outdated lease agreement. The ISC continued to make payments based on the original lease agreement rather than the amended agreement which had a lower monthly rent. • There was a lack of segregation of duties within the cash receipts process. The same employee was primarily responsible for creating invoices for programs and academies, receiving and depositing cash receipts, and following up on outstanding receivable balances. Additionally, there was no formal process for reviewing outstanding receivables. • There was a lack of controls over equipment inventory. The ISC had a detailed listing of capital assets costing over $1,500 and acquired after 2015: however, no details of assets acquired prior to that time were available nor were annual physical inventories taken. The ISC is responsible for establishing and maintaining an internal control system over accounting transactions to prevent errors and fraud. ISC management indicated it has not established or documented sufficient internal control procedures. (Finding 17-002, pages 12 – 13) This finding was first reported in 2012. The auditors recommended the ISC implement internal control procedures to ensure the following: • All journal entries should be supported by appropriate documentation and have evidence of supervisory review. • Transactions should be posted directly to appropriate accounts upon initial recording to avoid subsequent reclassifications. • Financial reports should be thoroughly reviewed prior to issuance. • Disbursements should be reviewed for accuracy and supported by proper documentation. • Incompatible accounting functions need to be segregated and a formal process for reviewing outstanding receivables implemented. • Capital asset inventories need to be taken on an annual basis and detailed records maintained. ROE Response: • All journal entries will be supported by appropriate documentation and have evidence of supervisory review. • Since the original finding regarding reclassifications, we have been training staff to provide accurate account coding to minimize the number of journal entries needed. • Financial reports will be thoroughly reviewed prior to issuance. • Disbursements will be reviewed for accuracy and supported by proper documentation. • Accounting functions will be segregated and a formal process for reviewing outstanding receivables implemented. • Capital asset inventories will be taken on an annual basis and detailed records maintained. INADEQUATE CONTROLS OVER PROCUREMENT- CARD TRANSACTIONS Internal controls over disbursements were not effectively designed and implemented. During auditors testing of procurement-card (P-card) transactions, the auditors noted the following: • Personal expenses were charged by two employees on the Intermediate Service Center #2’s (ISC) P-card. These expenses were paid back in full by the employees with personal checks written to the credit card company. The ISC maintained copies of the personal checks and the related charge receipts with the credit card statements. Personal expenses charged within the transactions tested totaled $772. • 1 out of 40 (2.5%) credit card statements sampled was not available although a supporting receipt was provided. • While testing internal controls over disbursements, 1 out of 40 (2.5%) disbursements sampled included a P- card transaction for which a supporting receipt was not provided. The ISC is required to maintain a system of controls over disbursements to prevent errors, omissions, and fraud. Additionally, expenses incurred should be for a business purpose and represent economical and effective use of the ISC’s resources. ISC management indicated personal expenses were mistakenly charged by two separate staff members using P- cards instead of their personal credit cards. In addition, a statement and charge receipt were misplaced and could not be found. (Finding 17-003, pages 14 – 15) This finding was first reported in 2014. The auditors recommended the ISC adhere to its policy prohibiting the use of P-cards for personal use. In addition, procedures should be implemented to ensure documentation of P-card activity is obtained and retained. ROE Response: The ISC will adhere to its policy prohibiting the use of P- cards for personal use. In addition, procedures will be implemented to ensure documentation of P-card activity is obtained and retained. INADEQUATE CONTROLS OVER PAYROLL During testing of payroll controls for a sample of 40 Intermediate Service Center #2 (ISC) employees, auditors noted the following: • One employee’s contract tested did not have the signature of either the Executive Director or Assistant Executive Director. • For one employee whose position and salary changed, a salary/position change form was not available. Employee contracts should be signed by the Executive Director or Assistant Executive Director pursuant to ISC policy and documentation supporting position changes for employees should be maintained. ISC management indicated it does not know why a signed contract and salary/ position change form were not able to be located. Management indicated this could have been due to filing errors. (Finding 17-004, page 16) The auditors recommended the ISC enhance internal control procedures to ensure an appropriate review and approval process is in place over contracts and salary/position changes. ROE Response: Currently (FY21) all hires and changes in salary/position are approved in writing by the Executive Director or Assistant Executive Director. LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER EXTERNAL SERVICE PROVIDERS As part of the audit process, auditors requested the Intermediate Service Center #2 (ISC) provide a population of the service providers utilized. The ISC was able to identify service providers that provided various hosting and backup services. The ISC is responsible for the design, implementation, and maintenance of internal controls, including the controls that are outsourced to service providers, related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. Generally accepted information technology guidance endorses the review and assessment of internal controls related to information systems and operations to assure the accurate processing and security of information. During testing, the auditors noted the ISC had not: • Developed a formal process for identifying service providers and obtaining the Service Organization Controls (SOC) reports from the service providers on an annual basis. • Documented its review of each of the SOC reports. • Monitored and documented the operations of the Complementary User Entity Controls (CUECs) relevant to the ISC’s operations. • Obtained and reviewed SOC reports for subservice organizations or performed alternative procedures to determine the impact on its internal control environment. ISC management indicated staff lacked knowledge that a good internal control system included having controls in place to ensure the accuracy of what external service providers are providing and to ensure that the controls of external service providers are sufficient to perform the service(s) for the organization. (Finding 17-005, pages 17 – 18) The auditors recommended the ISC identify all third-party service providers and determine and document if a review of controls is required. If required, the ISC should: • Obtain SOC reports or (perform independent reviews) of internal controls associated with outsourced systems at least annually. • Monitor and document the operation of the CUECs relevant to the ISC’s operations. • Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself that the existence of the subservice organization would not impact its own internal control environment. • Document its review of the SOC reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the ISC, and any compensating controls. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. ROE Response: We have made contact with another Regional Office of Education to receive training and documentation regarding controls over the review of internal controls over external service providers. LACK OF CONTROLS OVER ILLINOIS MUNICIPAL RETIREMENT FUND (IMRF) CENSUS DATA During testing of the IMRF net pension liability, auditors noted the actuarially determined pension report had census data that could not be confirmed as reasonably accurate. Specifically, auditors noted: • A decrease in the number of retirees and beneficiaries receiving benefits (annuitant) from the December 31, 2015 actuarial valuation to the December 31, 2016 actuarial valuation from 28 to 12. • 4 of 12 annuitants listed on the census data provided to the actuary were never employees of Intermediate Service Center #2 (ISC). Management is responsible for the design, implementation, and maintenance of internal controls relevant to the preparation and fair presentation of financial statements that are free from material misstatement, whether due to error or fraud. Management of cost-sharing and agent employer plans are also responsible for the preparation and fair presentation of the financial statements in accordance with the applicable financial reporting framework, including completeness and accuracy of census data. Although an outside actuary is involved in the calculation of the net pension liability, the actuary relies on census data, the accuracy of which is the responsibility of the ISC. ISC management indicated that in 2013, IMRF approved the ISC to be an IMRF agent whereas District 106 was previously the administrative agent that encompassed the ISC. At this time, a number of individuals who were never ISC employees were erroneously transferred to the ISC’s new account. However, management indicated that the error was corrected. It is likely this resulted in additional individuals being erroneously included in the ISC’s census data. (Finding 17-006, pages 19 – 20) The auditors recommended the ISC work with IMRF to determine the cause of the discrepancies and establish appropriate review procedures over the actuarial valuations and supporting census data. ROE Response: Since this error was detected in 2017, we have been requesting that IMRF make the corrections. We will continue to work with IMRF to ensure that their records are correct and that their previous error does not skew our current actuarial valuations. AUDITORS’ OPINION Our auditors state the Intermediate Service Center #2’s financial statements as of June 30, 2017 are fairly presented in all material respects. This financial audit was conducted by the firm of GW & Associates, PC. JOE BUTCHER Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JMM