REPORT DIGEST

 

DEPARTMENT OF CENTRAL MANAGEMENT SERVICES

BUREAU OF COMMUNICATION AND COMPUTER SERVICES

 

THIRD PARTY REVIEW

 

For the Year Ended: June 30, 2009

 

Release Date: July 8, 2009

 

State of Illinois Office of the Auditor General

WILLIAM G. HOLLAND, AUDITOR GENERAL

 

To obtain a copy of the Report contact:

Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703

(217) 782-6046 or TTY (888) 261-2887

 

This Report Digest and Full Report are also available on the worldwide web at:  www.auditor.illinois.gov

 

 

 

INTRODUCTION

 

      The Department of Central Management Services’ (Department) Bureau of Communication and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services (20 ILCS 405/405-10; 20 ILCS 405/405-20; 20 ILCS 405/405-250; 20 ILCS 405/405-255; 20 ILCS 405/405-260; 20 ILCS 405/405-270 and 20 ILCS 405/405-410). To fulfill its responsibilities, the Department operates the Central Computer Facility (CCF), the Communications Center, and branch facilities.  Through its facilities, the Department provides data processing services to approximately 96 user agencies.

 

       The Department is mandated to manage or delegate the management of the procurement, retention, installation, maintenance, and operation of all electronic data processing equipment used by State agencies to achieve maximum economy consistent with development of adequate and timely information in a form suitable for management analysis, in a manner that provides for adequate security protection and back-up facilities for that equipment.

 

       The Department functions as a service organization providing computing and telecommunication resources for State agencies’ use.  The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.

 

       We reviewed data processing general controls at the Department primarily during the period from January 5, 2009 to May 26, 2009.  We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary to evaluate the controls.

 

       We also reviewed application controls for systems maintained by the Department for State agencies’ use.  The systems reviewed were the Accounting Information, Central Payroll, Central Inventory, and Central Time and Attendance Systems.

 

 

ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES

BUREAU OF COMMUNICATION AND COMPUTER SERVICES

 

STATISTICS      2009

 

Mainframes:  

    4 Units Configured as 11 Production Systems and 6 Test Systems    

    1 Unit Configured as 5 Systems for Business Continuity

 

Services/Workload:  

    Impact Printing – 7.2 Million Lines per Month

    Laser Printing – 14.5 Million Pages per Month

 

State Agency Users:  96

 

Bureau Employees:                          

    2006 — 777

    2007 — 748

    2008 — 708

    2009 — 679

   

Historical Growth Trend (In the month of April for each year listed)

    2006 — 3,217 — MIPS (Million Instructions per Second)

    2007 — 3,962 — MIPS

    2008 — 4,018 — MIPS

    2009 — 4,035 — MIPS

 

Information provided by the Department – Unaudited

 

 

DEPARTMENT DIRECTOR AND DEPUTY DIRECTOR/BUREAU MANAGER

 

  During Audit Period:  Acting Director:  Maureen O’Donnell (7/1/2008 to 8/24/2008) 

  Currently:  Director:  James Sledge (8/25/2008 to present)

 

  During Audit Period and Current Deputy Director/Bureau Manager:  Doug Kasamis  

 

 

 

REPORT SUMMARY

 

We identified one significant deficiency for which we could not obtain reasonable assurance over the controls.

 

Information Technology Billings

 

The Department billed user agencies for various services, based on utilizations and rates developed by the Department.  However, based on inquiries and review of billing data, the Department had not implemented an adequate process/methodology to ensure the appropriateness of billings to agencies.

Billing invoices were the foundation for user agencies to make payments to the Department, including payments from the 11 agencies included in the consolidation of various functions of State government into the Department. 

 

To ensure the accuracy of the billings, the Department should:

•  Develop a process to ensure billings are appropriate and accurately reflect services rendered. 

•  Develop a formal methodology to clearly document the allocations of rates and charges to user agencies.  (See page 6 for additional information)

 

The Department concurs with the Auditor’s recommendations.  We are working to improve our billing processes and the billing data we make available for rates that were introduced in the last two years as a result of the IT consolidations.  We are also working on a comprehensive methodology document for all of our rates. 

 

Although not covered under audit standards as a deficiency, the deficiency outlined below may impact the Department’s ability to process information in the future.

 

Disaster Contingency Planning

 

Although the Department had developed some basic strategies to address the disaster contingency needs of the State’s Central Computer Facility, the plans and operational provisions need to be enhanced to provide assurance that all of the State’s critical applications and network operations can be recovered within required timeframes.

 

Although a Recovery Methodology and Recovery Activation Plan existed, they had not been updated to reflect the current environment and referenced documentation which had not been fully developed. 

 

A recovery test was performed in September 2008; however, all Category One applications were not included in the test and the test and supporting documentation did not meet the requirements outlined in the Recovery Activation Plan. 

 

The State is placing great reliance on the Department’s ability to provide data processing and network services in the event of a disaster.  As such, comprehensive and thoroughly tested disaster contingency plans are an essential component of recovery efforts. 

 

The Department should ensure the necessary components (plans, equipment, and facilities) are available to provide for the continuation of critical computer operations in the event of a disaster.  In addition, the Department should conduct and appropriately document comprehensive tests of the plans on an annual basis.  (See pages 6-7 for additional information)

 

The Department partially concurs with the recommendations and is confident that the deficiencies found in Recovery Services do not impact the Departments capacity to recover the critical environment and applications of the State.  This is evident in the results of the latest comprehensive exercise – environment and applications were recovered in 48 hours, with no major issues.  Nevertheless, the Department will continue its current efforts to update Recovery Services documentation, enhance and improve Recovery exercises, and communicate Recovery requirements to supported Agencies.

 

 AUDITORS' OPINION

 

With the exception of the one significant deficiency described above, procedures were generally sufficient to provide reasonable, but not absolute, assurance that relevant general and application control objectives were achieved. 

 

 

WILLIAM G. HOLLAND, Auditor General 

 

WGH:WJS