REPORT DIGEST

DEPARTMENT OF

CENTRAL MANAGEMENT

SERVICES

BUREAU OF COMMUNICATION AND COMPUTER SERVICES

THIRD PARTY REVIEW

For the Year Ended:

June 30, 2008

Release Date:

July 9, 2008

State of Illinois

Office of the Auditor General

WILLIAM G. HOLLAND

AUDITOR GENERAL

To obtain a copy of the

Report contact:

Office of the Auditor General

Iles Park Plaza

740 E. Ash Street

Springfield, IL 62703

(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also available on

the worldwide web at

www.auditor.illinois.gov

INTRODUCTION

      The Department of Central Management Services’ (Department) Bureau of Communication and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services (20 ILCS 405/405-10; 20 ILCS 405/405-20; 20 ILCS 405/405-250; 20 ILCS 405/405-255; 20 ILCS 405/405-260; 20 ILCS 405/405-270 and 20 ILCS 405/405-410). To fulfill its responsibilities, the Department operates the Central Computer Facility (CCF), the Communications Center, and branch facilities.  Through its facilities, the Department provides data processing services to approximately 97 user agencies.

       The Department is mandated to manage or delegate the management of the procurement, retention, installation, maintenance, and operation of all electronic data processing equipment used by State agencies to achieve maximum economy consistent with development of adequate and timely information in a form suitable for management analysis, in a manner that provides for adequate security protection and back-up facilities for that equipment.

       The Department functions as a service organization providing computing and telecommunication resources for State agencies’ use.  The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.

       We reviewed data processing general controls at the Department primarily during the period from January 2, 2008 to May 16, 2008.  We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary to evaluate the controls.

       We also reviewed application controls for systems maintained by the Department for State agencies’ use.  The systems reviewed were the Accounting Information, Central Payroll, Central Inventory, and Central Time and Attendance Systems.

Security policies had not been updated to reflect current environment

Billing methodology weaknesses were identified

Disaster Contingency Planning Weaknesses

REPORT SUMMARY

We identified two significant deficiencies for which we could not obtain reasonable assurance over the controls.

Security Policies

The Department has the primary responsibility for providing IT services to State Government. Thus, it is imperative the Department implement a framework to promote and apply prudent, comprehensive, and effective security practices.  The expanding use of information technology, increased sharing of sensitive information, and emerging IT risks make it imperative that security be appropriately addressed.

The policies outlined in the Department’s Description of Control as current and approved, were actually not in effect, and were not published by posting them to the appropriate repository.  The Department developed several updated policies in December 2007; however, the policies published on the Intranet still did not reflect the current technological environment or address security concerns. 

Even though this deficiency was included in the last two Third Party Reviews, the Department had not taken comprehensive action to remedy the control weakness.  To ensure the framework exists to promote and guide security practices, the Department should thoroughly review and update security policies to address the current technological environment, consolidation issues, and present-day risks.  Once finalized, the policies (and associated procedures) should be implemented, formally communicated, and disseminated (along with being placed in the appropriate repository) to all affected parties.   (page 6)

The Department concurred with our recommendation.  Department officials stated the Department is taking steps to address the recommendation.

Information Technology Billings

The Department billed user agencies for various services, based on utilizations and rates developed by the Department.  However, based on inquiries and review of billing data, the Department had not implemented an adequate process/methodology to ensure the appropriateness of billings to agencies.

Billing invoices were the foundation for user agencies to make payments to the Department, including payments from the 11 agencies included in the consolidation of various functions of State government into the Department. 

To ensure the accuracy of the billings, the Department should:

• Develop a process to ensure billings are appropriate and accurately reflect services rendered. 
• Develop a formal methodology to clearly document the allocations of rates and charges to user agencies.  (pages 6-7)

The Department concurred with our recommendation. Department officials stated that at the beginning of fiscal year 2008, BCCS instituted several new rates for services that had been previously billed through the IBiS system. Many of the issues found during the review were related to these newly rated services and BCCS is working diligently to correct any deficiencies and ensure proper controls are in place. The Department will also work to document the methodology used to develop these rates, as this is a requirement for the fiscal year 2008 Statewide Cost Allocation Plan. Department officials stated, by the beginning of fiscal year 2009, BCCS hopes to have rates for all services and no longer utilize the IBiS system.

Although not covered under audit standards as a deficiency, the deficiency outlined below may impact the Department’s ability to process information in the future.

Disaster Contingency Planning

Although the Department had developed some basic strategies to address the disaster contingency needs of the State’s Central Computer Facility, the plans and operational provisions need to be enhanced to provide assurance that all of the State’s critical applications and network operations can be recovered within required timeframes.

The Department had not adequately implemented procedures to protect critical information resources, minimize the risk of unplanned interruptions, and ensure the availability of critical information resources within acceptable timeframes.

The State is placing great reliance on the Department’s ability to provide data processing and network services in the event of a disaster.  As such, comprehensive and thoroughly tested disaster contingency plans are an essential component of recovery efforts.

The Department should ensure the necessary components (plans, equipment, and facilities) are available to provide for continuation of critical computer operations in the event of a disaster.  In addition, the Department should conduct comprehensive tests of the plans on an annual basis.  (page 7)

The Department partially concurred with our recommendation. Department officials stated they agree that they need to improve and update the plans, procedures and overall recovery documentation. However, the Department believes it has demonstrated through local and regional tests that it is able to recover the State’s Category 1 applications where the agencies have provided appropriate documentation to do so.

 AUDITORS' OPINION

With the exception of the two significant deficiencies described above, procedures were generally sufficient to provide reasonable, but not absolute, assurance that relevant general and application control objectives were achieved. 

                            ________________________________________

                                WILLIAM G. HOLLAND, Auditor General

WGH:WJS