State of Illinois

Office of the Auditor General

2022 Annual Report

 

 

March 1, 2023

 

The Honorable Members of the General Assembly

The Legislative Audit Commission

The Honorable JB Pritzker, Governor

Citizens of Illinois

 

Ladies and Gentlemen:

 

Enclosed is the Annual Report of the Auditor General’s Office, submitted in compliance with Section 3-15 of the Illinois State Auditing Act.

 

The mission of the Auditor General’s Office has been, and will continue to be, to present objective, balanced and independent audits. I believe this Annual Report reflects the Office’s success in fulfilling that goal during calendar year 2022.

 

I would like to thank the members of the General Assembly, members and staff of the Legislative Audit Commission, and the staff of the Auditor General’s Office, through whose efforts the reported accomplishments were made possible.

 

Yours truly,

 

FRANK J. MAUTINO

Auditor General

 

 

Overview

 

Frank J. Mautino became Auditor General of the State of Illinois on January 1, 2016. Prior to his appointment as Auditor General, Mr. Mautino was a member of the Illinois House of Representatives, and served as a co-chairman of the Legislative Audit Commission.

 

As a constitutional officer, the Auditor General audits public funds of the State and reports findings and recommendations to the General Assembly and to the Governor. The establishment of the Auditor General under the Legislature is important. It ensures that the Legislature, which grants funds and sets program goals, will ultimately review program expenditures and results. Thus, agencies are accountable to the people through their elected representatives.

 

The Auditor General’s Office performs several types of audits to review State agencies. Financial audits and Compliance examinations are mandated by law. They disclose the obligation, expenditure, receipt, and use of public funds. They also provide agencies with specific recommendations to help ensure compliance with State and federal statutes, rules and regulations.

 

Performance audits are conducted at the request of legislators to assist them in overseeing government. Programs, functions, and activities are reviewed according to the direction of the audit resolution or law directing the audit. The General Assembly may then use the audit recommendations to develop legislation for the improvement of government.

 

Information Systems audits are performed on the State’s computer networks. They determine whether appropriate controls and recovery procedures exist to manage and protect the State’s financial and confidential information.

 

Copies of all audits are made available to members of the Legislature, the Governor, the media, and the public. Findings include areas such as accounts receivable, computer security, contracts, expenditure control, leases, misappropriation of funds, personnel and payroll, property control, purchasing, reimbursements, telecommunications, and travel.

 

Audit reports are reviewed by the Legislative Audit Commission in a public hearing attended by agency officials. Testimony is taken from the agency regarding the audit findings and the plans the agency has for corrective action. In some cases, the Commission may decide to sponsor legislation to correct troublesome fiscal problems brought to light by an audit. All outstanding recommendations are reviewed during the next regularly scheduled audit of an agency or, if the Commission requests, a special interim audit may be conducted.

 

Public Information

 

An audit and its supporting workpapers, unless confidential by, or pursuant to, law or regulation, are public documents once the report has been officially released to the Legislature, the public, and the press. These documents are available for review in our Springfield and Chicago offices.

The following information is also available by request:

 

• Late Filing Affidavits

• Emergency Purchase Affidavits

• Contractual Services Certifications

 

Information about the Auditor General is available on the Internet. This information includes report summaries and full report texts.

 

Our internet web site address is: www.auditor.Illinois.gov

 

Our e-mail address is: audgen@auditor.illinois.gov

 

Public information is available by writing:

 

FOIA Officer

Office of the Auditor General

Iles Park Plaza

740 E. Ash St.

Springfield, IL 62703-3154

 

Springfield:

Telephone: (217) 782-6046

Fax: (217) 785-8222

 

Chicago:

Telephone: (312) 814-4000

Fax: (312) 814-4006 TTY: (888) 261-2887

 

Our Fraud Hotline is: Toll-Free: (855) 217-1895

 

Visit our web site at www.auditor.Illinois.gov for full details or for an on-line reporting form.

 

Organizational Chart

 

As of December 31, 2022, there were 75 employees. Seventy-one were located in the Springfield Office and four in the Chicago Office.

 

The Compliance Examination Program

 

The Auditor General is required by the Illinois State Auditing Act to conduct, as is appropriate to the agency’s operations, a financial audit and/or compliance examination of every State agency at least once every two years. These audits and examinations inform the public, the Legislature, and State officers about the obligation, expenditure, receipt, and use of public funds, and provide State agencies with specific recommendations to help ensure compliance with State and federal statutes, rules, and regulations.

 

The Compliance Audit Division conducted 92engagements during the FY 2022 audit cycle. These engagements encompassed compliance examinations, financial audits, and federal audits. Staff auditors conducted 23 of these audits.  The remainder were performed by public accounting firms under the general direction and management of the Auditor General’s audit managers. 

 

The Illinois Constitution of 1970 revised and expanded the traditional financial audits conducted of State agencies to focus on compliance with legislative intent and proper performance of governmental operations, as well as financial accountability.

 

The compliance program has a positive impact on the operations of State government because agencies implement many of the recommendations made in these reports. Compliance reports are also reviewed by the Legislative Audit Commission, where legislators question agency directors about audit findings and the corrective action they plan to take. Legislators and their staffs also use compliance reports during appropriation hearings in the spring legislative session.  To maximize the usefulness of audit information, the Office attempts to deliver audits as early as possible in the legislative session. 

 

Accountability

 

A number of reports issued since our last report had findings that were critically important from an accountability standpoint. A brief summary of some of these findings follows:

 

INADEQUATE FINANCIAL REPORTING PROCESS

 

The State of Illinois’ current financial reporting process does not allow the State to prepare a complete and accurate Annual Comprehensive Financial Report (ACFR) in a timely manner. Reporting issues at various individual agencies caused delays in finalizing the financial statements. The lack of timely financial reporting limits effective oversight of State finances. In addition, the Comptroller had weaknesses in the internal control over its change control and information technology environment.

 

Accurate and timely financial reporting problems continue to exist even though the auditors have

(1) continuously reported numerous findings on the internal controls (material weaknesses and significant deficiencies), (2) commented on the inadequacy of the financial reporting process of the State, and (3) regularly proposed adjustments to the financial statements year after year. These findings have been directed primarily towards major State agencies under the organizational structure of the Governor and towards the Comptroller.

 

The Comptroller has made significant changes to the system used to compile financial information; however, the State has not solved all the problems to effectively remediate these financial reporting weaknesses. The State has a highly decentralized financial reporting process due to the use of numerous financial reporting systems, many of which are not interrelated and require manual intervention to convert data. The process is also overly dependent on the post audit program, even though the Office of the Auditor General has repeatedly informed State agency officials that the post audit function is not a substitute for appropriate internal controls at State agencies.

 

Annual financial reporting to the Comptroller requires the State’s agencies to prepare a series of financial reporting forms (SCO forms) designed by the Comptroller, which are utilized to prepare the ACFR. Although these SCO forms are subject to review by the Comptroller’s financial reporting staff during the ACFR preparation process and there are recommended minimum qualifications for all new generally accepted accounting principles (GAAP) coordinators who oversee the preparation of the SCO forms, the current process still lacks sufficient internal controls at individual agencies.

 

In addition, we noted the Comptroller had information security weaknesses and inadequate processes and procedures for network changes and system development, including authorizations, approvals, segregation of duties, and backout and mitigation plans.

 

We recommended the Governor and the Comptroller continue to work together to resolve the State’s inability to produce timely and accurate GAAP-basis financial information. In addition, we recommended the Comptroller improve controls over information security, maintain adequate documentation of network changes, ensure policies and procedures are adequate and reflect the current operating environment, and ensure proper segregation of duties between the programmers.

 

The Office of the Governor agreed with the

recommendation, and stated they will continue to work with the Comptroller, and individual State agencies that have the most pressing challenges, to address the core issues of the State’s inability to produce timely and accurate GAAP-basis financial information. The Office of the Governor also stated the State agencies under the Governor are in the midst of a multi-year implementation of an Enterprise Resource Planning (ERP) system — an integrated enterprise-wide system that includes a financial accounting component. Currently, 65 State agencies, representing approximately 99.7% of the budget under the Governor’s purview, have “gone live” and begun using the financial accounting component of ERP. On July 1, 2022, eight additional agencies were added to ERP, such that all agencies that were originally included in the implementation plan for the new system will have the opportunity to utilize ERP’s accounting functions. Agencies will continue to assess how ERP can support them in the production of timely and accurate GAAP reporting. Further, the Governor anticipates that all agencies subject to the Grant Accountability and Transparency Act will join the Statewide grants management system, currently under development, in Fiscal Year 2024. The system will pull data from ERP, promoting consistency across state systems. Upon full implementation, the two systems are expected to improve internal controls and will better support the agencies’ production of accurate and timely financial statements. The Governor notes that it does not possess the authority to direct or control the financial reporting processes within the other constitutional offices.

 

The Office of Comptroller accepted our recommendation and stated the State still faces several roadblocks in the timely completion of the ACFR. The General Assembly enacted P.A. 97-0691, which extended the lapse period from August 31 to December 31 for Fiscal Year 2013 and future fiscal years for medical assistance payments of the Department of Healthcare and Family Services. Public Act 96-1501 extended the lapse period to October 31 for Fiscal Year 2021 for medical payments of the Department of Veterans’ Affairs and medical, childcare, and substance abuse treatment payments of the Department of Human Services. As a result of these extensions, the preparation and completion of critical financial schedules will continue to be delayed. In addition, the General Assembly enacted P.A. 102-0016, which extended the lapse period from August 31 to September 30 for Fiscal Year 2021 for all State agencies, further delaying the financial reporting process. More importantly, the Annual Comprehensive Financial Report completion continues to be delayed because of financial reporting issues identified during individual State agency financial and compliance audits. The report cannot be finalized until these issues are resolved at the individual State agency reporting level. The Comptroller will continue to work with the Governor’s Office, the Auditor General’s Office, and agency GAAP coordinators to improve the timeliness, quality, and processing of financial reporting for the State.

 

In addition, the Comptroller will work to improve written documentation of processes and procedures as they relate to information systems.

 

 

INADEQUATE FINANCIAL REPORTING PROCESS

 

The State of Illinois’ current financial reporting process does not allow the State to prepare a complete and accurate Annual Comprehensive Financial Report (ACFR) in a timely manner. Reporting issues at various individual agencies caused delays in finalizing the financial statements. The lack of timely financial reporting limits effective oversight of State finances. In addition, the Comptroller had weaknesses in the internal control over its change control and information technology environment.

 

Accurate and timely financial reporting problems continue to exist even though the auditors have

(1) continuously reported numerous findings on the internal controls (material weaknesses and significant deficiencies), (2) commented on the inadequacy of the financial reporting process of the State, and (3) regularly proposed adjustments to the financial statements year after year. These findings have been directed primarily towards major State agencies under the organizational structure of the Governor and towards the Comptroller.

 

The Comptroller has made significant changes to the system used to compile financial information; however, the State has not solved all the problems to effectively remediate these financial reporting weaknesses. The State has a highly decentralized financial reporting process due to the use of numerous financial reporting systems, many of which are not interrelated and require manual intervention to convert data. The process is also overly dependent on the post audit program, even though the Office of the Auditor General has repeatedly informed State agency officials that the post audit function is not a substitute for appropriate internal controls at State agencies.

 

Annual financial reporting to the Comptroller requires the State’s agencies to prepare a series of financial reporting forms (SCO forms) designed by the Comptroller, which are utilized to prepare the ACFR. Although these SCO forms are subject to review by the Comptroller’s financial reporting staff during the ACFR preparation process and there are recommended minimum qualifications for all new generally accepted accounting principles (GAAP) coordinators who oversee the preparation of the SCO forms, the current process still lacks sufficient internal controls at individual agencies.

 

In addition, we noted the Comptroller had information security weaknesses and inadequate processes and procedures for network changes and system development, including authorizations, approvals, segregation of duties, and backout and mitigation plans.

 

We recommended the Governor and the Comptroller continue to work together to resolve the State’s inability to produce timely and accurate GAAP-basis financial information. In addition, we recommended the Comptroller improve controls over information security, maintain adequate documentation of network changes, ensure policies and procedures are adequate and reflect the current operating environment, and ensure proper segregation of duties between the programmers.

 

The Office of the Governor agreed with the

recommendation, and stated they will continue to work with the Comptroller, and individual State agencies that have the most pressing challenges, to address the core issues of the State’s inability to produce timely and accurate GAAP-basis financial information. The Office of the Governor also stated the State agencies under the Governor are in the midst of a multi-year implementation of an Enterprise Resource Planning (ERP) system — an integrated enterprise-wide system that includes a financial accounting component. Currently, 65 State agencies, representing approximately 99.7% of the budget under the Governor’s purview, have “gone live” and begun using the financial accounting component of ERP. On July 1, 2022, eight additional agencies were added to ERP, such that all agencies that were originally included in the implementation plan for the new system will have the opportunity to utilize ERP’s accounting functions. Agencies will continue to assess how ERP can support them in the production of timely and accurate GAAP reporting. Further, the Governor anticipates that all agencies subject to the Grant Accountability and Transparency Act will join the Statewide grants management system, currently under development, in Fiscal Year 2024. The system will pull data from ERP, promoting consistency across state systems. Upon full implementation, the two systems are expected to improve internal controls and will better support the agencies’ production of accurate and timely financial statements. The Governor notes that it does not possess the authority to direct or control the financial reporting processes within the other constitutional offices.

 

The Office of Comptroller accepted our recommendation and stated the State still faces several roadblocks in the timely completion of the ACFR. The General Assembly enacted P.A. 97-0691, which extended the lapse period from August 31 to December 31 for Fiscal Year 2013 and future fiscal years for medical assistance payments of the Department of Healthcare and Family Services. Public Act 96-1501 extended the lapse period to October 31 for Fiscal Year 2021 for medical payments of the Department of Veterans’ Affairs and medical, childcare, and substance abuse treatment payments of the Department of Human Services. As a result of these extensions, the preparation and completion of critical financial schedules will continue to be delayed. In addition, the General Assembly enacted P.A. 102-0016, which extended the lapse period from August 31 to September 30 for Fiscal Year 2021 for all State agencies, further delaying the financial reporting process. More importantly, the Annual Comprehensive Financial Report completion continues to be delayed because of financial reporting issues identified during individual State agency financial and compliance audits. The report cannot be finalized until these issues are resolved at the individual State agency reporting level. The Comptroller will continue to work with the Governor’s Office, the Auditor General’s Office, and agency GAAP coordinators to improve the timeliness, quality, and processing of financial reporting for the State.

 

In addition, the Comptroller will work to improve written documentation of processes and procedures as they relate to information systems.

 

FINANCIAL REPORTING WEAKNESSES

 

The State of Illinois did not have adequate controls to assess the risk that information reported by individual agencies of the primary government would not be fairly stated and compliant with generally accepted accounting principles (GAAP). The Office of the Auditor General performed 24 audits at agencies of the primary government, including the five pension systems and the Illinois State Board of Investment. During these audits, we noted a total of 20 material weaknesses and 10 significant deficiencies related to the internal controls over the financial reporting process at 13 of the agencies.

 

Specifically, some of the more significant issues noted included the following:

• The Department of Healthcare and Family Services and the Department of Human Services failed to execute adequate internal controls over the Integrated Eligibility System.

• The Department of Healthcare and Family Services and the Department of Human Services failed to execute adequate internal controls over the operation of the Illinois Medical Program Advanced Cloud Technology system.

• The State Board of Education did not exercise adequate internal control over the State’s Evidence-Based Funding Formula.

 

Material weaknesses and significant deficiencies further extend financial reporting timelines since additional measurements and reporting are required. Completion or substantial completion of these audits is necessary for the Auditor General to issue an opinion on the State’s basic financial statements.

 

In addition to the deficiencies noted above, material misstatements were identified by the auditors at one agency. The adjustments totaled $332.5 million for the Business-Type Activities and Water Revolving Fund and $15.7 million for Fiduciary Funds (Finding 2, pages 11-16). This finding has been reported since 2002.

 

We recommended the State continue its efforts to improve internal control procedures in order to assess the risk of material misstatements to the financial statements and to identify such misstatements during the financial statement preparation process. We further recommended the internal control procedures include a formal evaluation of prior problems and implementation of procedures to reduce the risk of these problems reoccurring.

 

The Office of the Governor agreed with our recommendation and stated they will continue to work together with the Office of Comptroller and the State agencies under its jurisdiction to improve Statewide internal control procedures and reduce the likelihood of material misstatements to the financial statements. The State agencies under the Governor are in the midst of a multi-year implementation of an Enterprise Resource Planning (ERP) system — an integrated enterprise-wide system that includes a financial accounting component. Currently, 65 State agencies, representing approximately 99.7% of the budget under the Governor’s purview, have “gone live” and begun using the financial accounting component of ERP. On July 1, 2022, eight additional agencies were added to ERP, such that all agencies that were originally included in the implementation of the new system will have the opportunity to utilize ERP’s accounting functions. Agencies will continue to assess how ERP can support them and help them to assess the risk of material misstatements and identify such misstatements during the reporting process. Further, the Governor anticipates that all agencies subject to the Grant Accountability and Transparency Act will join the Statewide grants management system, currently under development, in Fiscal Year 2024. The system will pull data from ERP, promoting consistency across state systems. Upon full implementation, the two systems are expected to improve internal controls and will better support the agencies’ ability to avoid misstatements in the financial reporting process.

 

The Office of Comptroller accepted our recommendation and stated they will continue to assist the Governor’s Office in their efforts to increase the quality of GAAP packages by providing enhanced training and technical assistance to State agencies.

 

LACK OF CONTROLS OVER CENSUS DATA

 

The State of Illinois (State) did not develop a reconciliation process to provide assurance census data submitted by its agencies to its pension and other postemployment benefits (OPEB) plans was complete and accurate.

 

Census data is demographic data (date of birth, gender, years of service, etc.) of the active, inactive, or retired members of a pension or OPEB plan. The accumulation of inactive or retired members’ census data occurs before the current accumulation period of census data used in the plan’s actuarial valuation (which eventually flows into the State’s financial statements), meaning the plan is solely responsible for establishing internal controls over these records and transmitting this data to the plan’s actuary. In contrast, responsibility for active members’ census data during the current accumulation period is split between the plan and each member’s current employer(s). Initially, employers must accurately transmit census data elements of their employees to the plan. Then, the plan is responsible for recording and retaining these records for active employees and transmitting this census data to the plan’s actuary.

 

We noted the State’s employees are members of one of the State’s three retirement systems (State Employees’ Retirement System (SERS), General Assembly Retirement System (GARS), or Judges’ Retirement System (JRS)) for their pensions and the State Employees Group Insurance Program sponsored by the State of Illinois, Department of Central Management Services (CMS) for their OPEB. In addition, we noted these plans have characteristics of different types of pension and OPEB plans, including single employer plans and cost-sharing multiple employer plans.

 

During testing, we noted the State’s design of its internal control structure did not include a process to annually reconcile census data recorded by the plan from each employer’s transmissions during the year back to the supporting records retained by the agency/employer. There has been no initial complete reconciliation of census data recorded by the SERS, GARS, and JRS to the agency/employer internal records to establish a base year of complete and accurate census data. After establishing a base year, the agencies/employers have not developed a process to annually obtain from SERS, GARS, and JRS the incremental changes recorded in the census data during the year and reconcile these changes back to their internal supporting records.

 

We worked with our special assistant auditors to conduct sample testing of census data transactions at several significant primary government agencies as part of their financial statement audits. Due to the lack of a reconciliation process, we noted census data exceptions (agency-level reports are available on the Auditor General’s website) across the State’s primary government which should have been identified and corrected during an annual reconciliation process.

 

We worked with the plan actuaries to project the impact of the noted exceptions on the actuarial valuations and determined the exceptions did not materially impact the State’s financial statements.

 

For employers participating in plans with multiple-employer and cost-sharing characteristics, the Audit and Accounting Guide: State and Local Governments (AAG SLG) (§ 13.177 for pensions and § 14.184 for OPEB) published by the American Institute of Certified Public Accountants notes the determination of net pension/OPEB liability,

pension/OPEB expense, and the associated deferred inflows and deferred outflows of resources depends on employer-provided census data reported to the plan being complete and accurate along with the accumulation and maintenance of this data by the plan being complete and accurate. To help mitigate the risk of the plan’s actuary using incomplete or inaccurate census data within similar agent multiple-employer plans, the AAG-SLG (§ 13.181 (A-27) for pensions and § 14.141 for OPEB) recommends an employer annually reconcile its active members’ census data to a report from the plan of census data submitted to the plan’s actuary, by comparing the current year’s census data file to both the prior year’s census data file and its underlying records for changes occurring during the current year.

 

We recommended the Office of the Governor and Office of Comptroller work with the State agencies to develop an annual process to reconcile its active members’ census data from its agency/employer’s underlying records to a report from each plan of census data submitted to the plan’s actuary. After completing an initial full reconciliation, the State may limit the annual reconciliation to focus on the incremental changes to the census data file from the prior actuarial valuation, provided no risks are identified that incomplete or inaccurate reporting of census data may have occurred during prior periods.

 

The Office of the Governor accepted our recommendation and stated several State agencies already have numerous edit checks, reconciliation procedures, and internal controls to prevent error. Notably, some agencies selected for census data testing had no census data exceptions, and for those agencies that did have exceptions, the exceptions did not materially impact the current financial statement. The Governor acknowledges, however, that the State should work toward eliminating risk factors that could result in misstatements and miscalculations in the future. SRS took the lead to implement a Statewide annual census data reconciliation process in Fiscal Year 2022. Through this process, agencies will be responsible for annually reviewing significant census data elements and comparing with prior fiscal years’ data to ensure accuracy.

 

The Office of Comptroller accepted our recommendation and stated several State agencies that were selected for sample testing of census data had no exceptions, and as indicated in the finding, the exceptions that were noted in the census data testing at other agencies did not materially impact the State’s financial statements. State agencies, as well as the pension and OPEB plans, have numerous edit checks, reconciliation procedures, and internal controls that help minimize errors. However, the Comptroller agrees that a formal reconciliation process across all State agencies should be developed. SERS, GARS, and JRS began implementing a census data reconciliation process early in Fiscal Year 2022. As of the date of this response, GARS has completed a full reconciliation of their active member population, JRS is near completion of a full reconciliation of their active member population, and SERS, which has approximately 63,000 active members, expects to have reconciled over 85% of the population by the end of Fiscal Year 2022.

 

EVIDENCED-BASED FUNDING FORMULA ERROR

 

The State Board of Education (Agency) did not exercise adequate internal control over the State’s Evidence-Based Funding (EBF) Formula or promptly disclose a significant known matter to the auditors.

 

During fieldwork, we noted the following:

• Agency management disclosed a coding error to us regarding enrollment counts within the State’s Evidence-Based Funding Formula on April 22, 2022. As a result of this error, the Agency made a significant overpayment to one school district and underpayments to other school districts. We proposed an adjusting journal entry of $42.552 million to increase the amount due (a liability) to the underpaid school districts at June 30, 2021, which was recorded by Agency management in the Agency’s final financial statements. Further, we proposed the Agency’s management develop additional footnote disclosure to address the amount due to the Agency from the overpaid school district, which was included within the Agency’s final financial statements.

• According to Agency management, they became aware of this problem in December 2021 while preparing a report for the Agency’s Evidence-Based Funding Professional Review Panel. Agency management commenced an investigation of the problem and disclosed the existence of this matter to the Agency’s governing board in mid-February 2022. However, we only became aware of this problem through public news reports and legislative hearings in early April 2022. Subsequently, we inquired of Agency officials on April 22, 2022, for additional information about this undisclosed problem and the impact of the matter on the Agency’s ongoing financial audit.

 

We recommended the Agency implement controls, including adequate supervisory reviews, to ensure the formula for the State’s Evidence-Based Funding grant program strictly complies with the applicable provisions of the School Code. Further, we recommended the Agency comply with the Illinois State Auditing Act by the prompt and timely disclosure of known events, conditions, and transactions which could impact either an ongoing audit or previously released audit performed by the Auditor General, even if the full ramifications of the matter are not yet known.

 

The Agency agreed with the recommendation and stated corrective actions that will be employed to ensure the accuracy of the Evidence-Based Funding are initiating a process to pursue an independent audit of the Evidence-Based Funding Formula model, and conducting independent compilations of enrollment totals in order to validate the calculations from student-level counts to each Evidence-Based Funding Organization Unit’s unit-level summaries.

 

 

INSUFFICIENT REVIEW AND DOCUMENTATION OF PROVIDER ENROLLMENT DETERMINATIONS AND FAILURE TO EXECUTE INTERAGENCY AGREEMENTS

 

The Department of Healthcare and Family Services (HFS) failed to execute interagency agreements (IA) with the Department of Human Services (DHS) establishing adequate internal controls over the operation of the State of Illinois’ Illinois Medicaid Program Advanced Cloud Technology system (IMPACT). In addition, HFS failed to sufficiently review and document eligibility requirements either prior to the approval of eligibility, and/or during the required monthly screenings for enrolled providers.

 

Interagency Agreements

 

Auditors noted HFS did not enter into or have an existing IA with DHS defining each agency’s roles and responsibilities as they related to IMPACT during fiscal year 2021.

 

Detail Sample Testing of IMPACT Providers at HFS

 

During fiscal year 2021, 24,209 provider enrollment applications were approved in IMPACT. In order to determine if the providers’ applications were approved in accordance with federal and State laws/rules/regulations, a sample of 60 approved applications were selected for testing. Our testing noted seven (12%) approved provider applications did not contain documentation to substantiate a review of the provider’s required professional license or board certification to confirm the licenses/certifications were valid at the time the application was approved.

 

Detail Sample Testing of IMPACT Providers at DHS

 

During testing, the auditors determined DHS did not solely utilize IMPACT as the official book of record or consistently rely on it to verify its providers met certain Medicaid requirements prior to approving them to provide services. Specifically, in fiscal year 2021, DHS performed procedures to determine if its providers met certain Medicaid requirements outside of IMPACT. Upon completion of those procedures, DHS personnel then entered the providers’ information into IMPACT and approved the provider’s file in order to grant approval for payment.

 

In order to determine if DHS provider applications were approved in accordance with federal and State laws/rules/regulations, prior to DHS entering their information into IMPACT, the auditors selected a sample of 60 approved applications for detailed testing and had no exceptions.

 

Additionally, on a monthly basis, IMPACT conducts monthly screenings of provider profiles against several databases to determine if the provider licenses are valid and current, and identifies suspected criminal activity. During testing, the auditors determined DHS personnel did not regularly follow-up on issues identified in IMPACT during the monthly screenings.

 

We recommended HFS management work with DHS to ensure all provider applications are properly reviewed, approved, and documented within IMPACT. In addition, we recommended HFS work with DHS to execute detailed interagency agreements which document specific roles and responsibilities as they relate to IMPACT. Finally, until the interagency agreement is finalized, we recommended DHS follow-up on issues identified pertaining to their providers, from the IMPACT monthly screenings.

 

HFS accepted the recommendation and stated the interagency agreement is being finalized. HFS also stated provider enrollment staff works with DHS staff monthly to conduct quality assurance reviews of provider applications approved during previous month and any identified errors are communicated to DHS and corrected.

 

 

FAILURE TO IMPLEMENT GENERAL INFORMATION TECHNOLOGY CONTROLS OVER THE PANDEMIC UNEMPLOYMENT ASSISTANCE SYSTEM

 

The Department of Employment Security (Department) failed to implement general Information Technology (IT) controls over the Pandemic Unemployment Assistance (PUA) System (System).

 

In April 2020, the Department contracted with a service provider to provide the System as a Software as a Service (SaaS) and to provide hosting services for the System. The service provider maintained full control over the System.

 

During testing, we noted the following:

 

• The Department could not provide a System and Organization Control (SOC) report for the System.

• The service provider’s developers had access to the production environment. As a result, we were unable to determine if the developers made unauthorized changes to the environment, application, and data.

• The Department had not implemented internal controls over the System’s access.

• The Department had not implemented disaster recovery controls.

 

As a result of the lack of general IT controls over the System, we are unable to rely on the System and the proper documentation of claimant eligibility data and benefits paid. Furthermore, as a result of the lack of internal controls identified in this finding and finding 2, we are unable to obtain sufficient documentation to determine if the Department’s Unemployment Compensation Trust Fund (Trust Fund) financial statements are fairly presented. Therefore, we are issuing a disclaimer of opinion over the Department’s Trust Fund Fiscal Year 2021 financial statements.

 

We recommended the Department ensure the service provider’s contract requires obtaining a SOC report or an independent review. We also recommended the Department ensure the service provider’s developers’ access is restricted and changes are appropriate. Further, we recommended the Department develop and implement security controls and disaster recovery controls.

 

The Department accepted our recommendation.

 

FAILURE TO MAINTAIN ACCURATE AND COMPLETE PANDEMIC UNEMPLOYMENT ASSISTANCE CLAIMANT DATA

 

The Department of Employment Security (Department) failed to maintain accurate and complete Pandemic Unemployment Assistance (PUA) claimant data.

 

On March 27, 2020, the President of the United States signed the Coronavirus Aid, Relief, and Economic Security (CARES) Act which provided states the ability to provide unemployment insurance to individuals affected by the pandemic, including those who would not normally be eligible for unemployment. Based on the Department’s records, as of June 30, 2021, 424,887 claimants had received benefits totaling $8,168,499,998.

 

From June 2021 through January 2022, the Department attempted to provide complete and accurate PUA claimant data in order to determine if the claimants were properly determined eligible. After several attempts and considerable manipulation of the data to make the data more auditable and organized, it was determined complete and accurate PUA claimant data could not be provided. Therefore, we were unable to conduct detailed testing to determine whether the PUA claimants were entitled to benefits.

 

Due to the inability to conduct detailed claimant testing, we were unable to determine whether the Department’s Unemployment Compensation Trust Fund (Trust Fund) financial statements accurately document the PUA benefits paid during Fiscal Year 2021. Therefore, we issued a disclaimer of opinion over the Department’s Trust Fund Fiscal Year 2021 financial statements.

 

We recommended the Department implement controls to ensure the claimants’ data is complete and accurate.

 

The Department accepted our recommendation.

 

 

FAILURE TO APPLY APPROPRIATE GENERALLY ACCEPTED ACCOUNTING PRINCIPLES

 

The Western Illinois University (University) did not properly record several transactions and, as a result, did not properly apply appropriate generally accepted accounting principles (GAAP) to their financial statement reporting process.

 

We noted the following in our review of the financial statements submitted by the University with the GAAP Package to the Office of the Comptroller:

 

• The University acquired an ERP system from a third-party vendor and was involved in some development activities related to the ERP system for implementation. The University did not capitalize $283,367 of application development costs incurred.

• The University did not properly conduct an evaluation of all the agency funds in relation to the implementation of GASB Statement No. 84, Fiduciary Activities. We noted the University initially did not report any fiduciary funds financial statements and did not have related disclosures on fiduciary funds in the notes to the financial statements. We requested the University provide their documentation on their determination of which funds are to be reported as fiduciary funds. The University reperformed their evaluation and identified thirty-two (32) agency funds previously accounted for in governmental activities that should be reported as custodial funds. These custodial funds have assets totaling $394,245, liabilities totaling $75,213, and net position totaling $319,032 that were not properly reported in a Statement of Fiduciary Net Position. In addition, total beginning net position of $286,885, additions totaling $166,730 and deductions totaling $134,583 were not reported in a Statement of Changes in Fiduciary Net Position.

• The University did not properly calculate and report the institutional portion revenue on Higher Education Emergency Relief Fund (HEERF) II grants. The University met the eligibility requirements for student financial aid expenditures, institutional expenditures and lost revenues but did not recognize an additional $2,056,678 of institutional portion to the total HEERF II award amount it is entitled to in accordance with the HEERF II grant provisions. A revision was made to the Schedule of Expenditures and Federal Awards to reflect the changes.

 

The University subsequently adjusted the financial statements to correct these errors, including the required disclosures in the notes to the financial statements.

 

We recommended the University establish procedures to ensure that transactions which include special terms and reporting be carefully reviewed for proper accounting and recognition of related transactions, and, if necessary, accounting and reporting guidance should be obtained from technical resources to be in conformity with generally accepted accounting principles.

 

The University agreed with the finding and confirmed that all adjustments are reflected in the financial statements.

 

 

INADEQUATE MONITORING OF INTERNAL SERVICE FUND BILLINGS

 

The Department of Central Management Services (Department) did not adequately monitor billings for the Professional Services Fund and the Health Insurance Reserve Fund.

 

During testing of internal service fund billings, amounts due from other agencies, and amounts due from component units we noted the following:

 

• Several State employees are collectively represented by the Downstate Teamsters, Cook County Teamsters Local No. 700, Fox Valley Teamsters Local No. 330, and Teamsters Local No. 916 at the:

■ Department;

■ Department of Corrections (DOC);

■ Department of Innovation and Technology (DoIT);

■ Department of Human Services (DHS);

■ Department of Transportation (DOT);

■ Illinois State Police (ISP), which are paid for by the ISP, Illinois Gaming Board (IGB), Illinois State Toll Highway Authority (ISTHA), and DOT;

■ Department of Veterans’ Affairs (DVA);

■ Department of Natural Resources (DNR); and,

■ Department of Employment Security (covered position currently vacant).

 

Pursuant to the various agreements, these employees covered by these agreements can choose to opt-out of the State Employee Group Insurance Program (SEGIP)’s healthcare benefits and receive their employee healthcare through the union’s plan. Those employees who opt-out will participate in SEGIP for vision, dental, and life insurance benefits as an employee and then transition to SEGIP for all of their Other Postemployment Benefits (OPEB), including healthcare benefits, at retirement. In order to pay the unions for these employees’ healthcare costs, SEGIP initially pays the union and the Department then prepares supplemental billings for SEGIP to recover these costs and collect the associated retiree portion of group insurance contributions for SEGIP from each employee’s employer. These payments are made to the Health Insurance Reserve Fund.

 

As of June 30, 2021, $6,522,614 in supplemental billings were due to the Department. We noted the Department did not actively monitor its amounts due from multiple State agencies and ISTHA to ensure amounts due were timely collected. As such, we noted six of nine (67%) agencies made no payments or payments significantly lower than what was due since 2018.

After these issues were brought to the attention of the Department, $3,735,687 was also collected for these billings by December 2021.

 

The Department develops charges for professional services to be paid into the Professional Services Fund by using the last full fiscal year’s expenditures, devising a percentage of the total expenditures, and then prorating the amounts to the agencies by fund and dollar amount that receive professional services from the Department. This percentage is then multiplied by the professional services annual budget to determine the amount billed to each agency. During testing we noted agencies receiving professional services from the Department were billed based on the percentages established for Fiscal Year 2020 instead of Fiscal Year 2021. This resulted in 41 of 45 (91%) agencies receiving professional services from the Department being billed for the incorrect amount. The amounts under billed to agencies ranged from $200 to $269,200, and the amounts overbilled to agencies ranged from $200 to $704,900.

 

We recommended the Department ensure internal service fund billings are properly calculated and that the Department timely follows up on outstanding billings.

 

The Department accepted the finding and recommendation. The Department stated they have implemented processes and procedures to complete timely monitoring and follow up on internal service fund billings to ensure agencies are paying these billings in the fiscal year where the liability is incurred. Regarding the professional services billing, the Department stated that it has updated its procedures and review processes to help ensure billings are properly calculated.  

 

 

FAILURE TO IMPLEMENT LOTTERY SPORTS WAGERING

 

The Department of the Lottery (Department) has not implemented the Lottery Sports Wagering Pilot Program (SWP) as mandated by the Sports Wagering Act (Act) (230 ILCS 45/25-70).

 

Public Act 101-0031, effective on June 28, 2019, created the Act and the Department’s SWP for parlay wagers and fixed odds parlay wagers as part of a funding mechanism for vertical capital projects. Under § 25-70, the Department is mandated to issue one SWP central system provider license for a fee of $20 million following an open and competitive bidding process for 2,500 retail locations through June 22, 2020, which then increased to 5,000 retail locations thereafter. Further, after the General Assembly found an emergency existed and it was necessary to the public interest, safety, and welfare for the Department to promulgate emergency rules to get the SWP operational as soon as possible, § 25-70(i) authorized the adoption of emergency rules to administer the SWP. Finally, § 25-70(k) sunsets the SWP on January 1, 2024.

 

In response, the Department took the following actions during the examination period:

 

Date(s)  /  Event

• September 27, 2019: The Department posted a Request for Information (RFI) on three gaming industry websites.

• October 1-11, 2019: The Department received 10 replies from various gaming entities to its RFI.

• October 28-30, 2019 & November 12-14, 2019:  During the General Assembly’s Fall 2019 Veto Session, the Department sought an amendment to § 25-70 in the trailer bill. This bill, like subsequently introduced bills, attempted to (1) allow for integration between the SWP’s independent central system and the Department’s system, (2) allow debit and credit card transactions, (3) reduce the $20 million fee paid by the successful SWP, (4) change the flow of funds received by the Department from SWP, and (5) extend the sunset date of the SWP.

• Spring 2020 Session: The Department sought an amendment to § 25-70 similar to the amendment sought during the Fall 2019 Veto Session.

• June 8, 2020: The Department sent pre-draft administrative rules to the Joint Committee on Administrative Rules (JCAR), which were written assuming the Department’s changes would be approved by the General Assembly.

• June 18, 2020: JCAR sent a letter of comments to the Department about the pre-draft administrative rules, noting the Department had several proposed rules which were not supported by the current statutory text of § 25-70. As of June 30, 2021, the Department had not yet cleared JCAR’s comments.

• Fall 2020 Veto Session: The Department continued to seek an amendment to § 25-70 similar to the amendment sought during the General Assembly’s Fall 2019 Veto Session.

• Spring 2021 Session: The Department sought an amendment to § 25-70 similar to the amendment sought during the General Assembly’s Fall 2019 Veto Session.

• March 2021: The Department completed a draft Request for Proposals (RFP) to issue the SWP’s Central System Provider, who will serve as the private manager overseeing the SWP’s terminals, which was written assuming the Department’s changes would be approved by the General Assembly.

 

During testing, we noted the following:

• The Department has not implemented the SWP by issuing an RFP or adopting administrative rules under current law, which was effective over two years ago.

Department officials indicated they believe the General Assembly did not set a time frame for when the Department was required to fully implement the SWP.

• The Department did not post the RFI in the State’s online procurement bulletin, BidBuy.

 Department officials indicated the Chief Procurement Officer did not give the Department authorization to post the RFI on BidBuy.

 

While it is possible an RFP issued under current law may fail to yield any responses, failure to adopt administrative rules and issue an RFP as soon as possible after Public Act 101-0031 passed and implement the SWP guaranteed the Department (1) would not collect the $20 million license fee and (2) forewent potential revenues from wagers not placed which support both the Capital Projects Fund and Lottery retailers wanting to participate in the SWP. In addition, failure to post the RFI on BidBuy reduced public exposure of the Department’s RFI.

 

We recommended the Department issue an RFP to implement the SWP. Further, the Department should work with the Chief Procurement Officer to implement controls so future RFIs are posted on BidBuy in strict adherence with the provisions of the Illinois Administrative Code (IAC).

 

Department officials stated the following:

 

“The Department accepts the finding. Public Act 101-0031, effective on June 28, 2019, created the Act. Section 25-70 of the Act created the SWP. Prior to its passage the Department sanctioned Illinois-specific research to assess the impact and opportunity of legalized sports betting in the lottery environment. The Department also identified the initial concerns it had regarding the language included in the bills which later became Public Act 101-0031 and unsuccessfully lobbied for changes. Upon passage of the Act, the Department continued its due diligence for the purpose of implementing the SWP. The Department began project planning, conducted additional research and analysis, and initiated the development of a RFI for the purpose of determining the feasibility of the SWP under the current law.

 

“The Department compiled and released the RFI on the Department’s website as well as reputable gaming websites used by vendors that support the lottery industry domestically and abroad. The RFI was also forwarded to all interested parties listed on Bid Buy, the state’s online procurement bulletin, but as noted in the finding, the RFI was not posted on Bid Buy itself. The Department considered posting the RFI on Bid Buy, but after consultation with the state’s CPO, agreed the RFI should be part of the central system provider license bid process which the Department had statutory authority to complete outside of the state’s procurement process. Even without the use of Bid Buy, the RFI elicited 10 responses.

 

 “The preliminary research conducted by the Department and the results from the RFI indicated the SWP was not feasible in its current form. These results supported the Department’s initial assessment. Additional research and consultation with other states who have implemented similar programs, validated the Department’s assessment. Despite those results, the Department continues implementation efforts by further developing its plan, finalizing an RFP for the central system provider, increasing authorized headcount, and drafting administrative rules. The Department continues these efforts while concurrently identifying modifications to Public Act 101-0031 and lobbying for their passage.

 

 “The Department believes it is in the best interest of the State to apply the results of the RFI and research conducted in making modifications to the law that have been found critical in order to stand up a viable SWP program. The Department remains vigilant in its efforts to create the best program it can in accordance with the law.”

 

In an accountant’s comment, we noted, at this time, despite the Department’s repeated efforts to seek a legislative change, the General Assembly, as is their exclusive right, has chosen not to adopt the Department’s proposals and change § 25-70 of the Act. This fact – when considered in light of both (1) the ever diminishing likelihood an RFP issued under current law would yield any responses due to the approaching sunset date on January 1, 2024, and (2) the General Assembly’s determination that time was of the essence by authorizing the adoption of emergency rules to get the SWP operational as soon as possible – strongly supports our recommendation Department management should issue an RFP to implement the SWP.

 

Further, as requested by us during the exit conference, Department management has not provided documentation which supports its assertion the SWP is not subject to the State’s procurement process, including the provisions of the Illinois Procurement Code (Code) and related administrative rules within the IAC. Unlike the procurement process for the Department’s Private Manager which is explicitly exempted from the provisions of the Code unless specifically required by the management agreement entered into by the Department and the Private Manager by the Illinois Lottery Law (Law) (20 ILCS 1605/9.1(e)), the Code is not even mentioned in the Act nor is the Act mentioned in the Code. Like the Law, the Code (30 ILCS 500/1-10(d)) explicitly only exempts the procurement process for the Private Manager under § 9.1 of the Law. As such, we continue to believe the SWP is subject to the State’s procurement process, including the requirements for publishing RFIs within the IAC. If Department management continues to disagree with our recommendation, we recommend they seek a formal, written opinion from the Attorney General on the applicability of the State’s procurement process to the SWP.

    

 

NONCOMPLIANCE WITH THE STATE EMPLOYEES GROUP INSURANCE ACT OF 1971

 

The Department of Central Management Services (Department) did not ensure the repayment by Illinois State Toll Highway Authority (Tollway) of the pro rata share of certain retiree costs incurred by the State Employees Group Insurance Program (SEGIP) was complete and accurate.

 

During testing, we noted employee-related costs incurred by the Tollway include both Tollway employees and staff of the Illinois State Police (ISP) consisting of four groups, as defined and further described below:

 

1. “True Tollway Employees” work for the Tollway, including its administrative, engineering, traffic, construction, and maintenance staff. These employees are paid on Tollway payroll vouchers and participate in the Tollway’s own group insurance program. Upon retirement, they transition to SEGIP for their OPEB. SEGIP does not receive a “retiree-load” charge (a charge added to contributions for current employees to obtain cash to pay benefit costs for retirees on a pay-as-you-go basis) for these employees’ current benefits provided by the Tollway’s own group insurance plan.

2. “ISP District 15 State Troopers” consist of two groups providing personal services within ISP District 15, which patrols the highways and facilities which encompass the Tollway’s operations.

            a. The majority of these employees participate in the SEGIP for both their current employee benefits and OPEB during retirement.

            b. Master sergeants, however, can opt-out of SEGIP for healthcare benefits and participate in the Teamsters Local No. 727 Health and Welfare Benefits Fund for health insurance along with SEGIP for vision, dental, and life insurance benefits as an employee and then transition to SEGIP for all of their OPEB at retirement.

 

All troopers are paid on ISP’s payroll vouchers which are charged against the Tollway’s agency number and accounts. These vouchers include contributions to SEGIP for all troopers’ SEGIP-provided benefits. In addition, the Department prepares supplemental billings charged to the Tollway’s accounts for SEGIP to recover the healthcare costs paid to the Teamsters Local No. 727 Health and Welfare Benefits Fund along with the associated “retiree-load” for SEGIP.

 

“ISP District 15 Support Staff” are Tollway employees supporting the troopers assigned to ISP District 15. These employees are paid on Tollway payroll vouchers and participate in the Tollway’s own group insurance program until they transition to SEGIP for their OPEB at retirement. SEGIP does not receive a “retiree-load” charge calculated on these employees’ current benefits from the Tollway’s own group insurance plan.

 

The “True Tollway Employees” and “ISP District 15 Support Staff” groups are paid on Tollway payroll vouchers and participate in the Tollway’s group insurance program until they transition to SEGIP for their OPEB at retirement. As these groups participate in the Tollway’s group insurance program until retirement, the Department has not collected the “retiree-load” charge (a charge added to contributions for current employees to obtain cash to pay benefit costs for both employees and retirees on a pay-as-you-go basis) built into active-employee SEGIP contributions to fund costs associated with retirees participating in SEGIP. Rather, the State Employee Group Insurance Act (Act) (5 ILCS 375/11) requires the Tollway reimburse SEGIP for the pro rata share of the cost of providing retiree benefits to those retirees who had service in “True Tollway Employees” and “ISP District 15 Support Staff” positions compared to their total service to the State.

 

To enable the Tollway and the Department to follow this mandate during Calendar Year 2020, the State Employees’ Retirement System of Illinois (SERS) sent the Tollway a monthly extraction of Tollway-associated retirees along with each retiree’s total SERS’ service credit months and months of total service at the Tollway from SERS’ records. Further, this extraction included the State-paid OPEB costs for retirees, except for the State’s costs for “CMS Direct Bill” retirees, which SERS had previously extracted from the Department’s third-party administrator of SEGIP benefits for another purpose. The totality of this report was imported into the Tollway’s systems to generate a monthly invoice, where the amounts due were aggregated together across the calendar year for one contribution to SEGIP in February 2021.

 

Under Section 11 of the Act, the Tollway and the Department are solely responsible for ensuring compliance with this mandate. While SERS has some of the historical records necessary for the Tollway and the Department to fulfill this mandate, neither the Department nor the Tollway have communicated with nor entered into a written agreement with SERS so SERS officials could understand the information needs of the Tollway and the Department. As a result, the following occurred:

 

• Each retiree’s service months to the Tollway were not calculated on the same basis as SERS’ total months of service credit. After consultation with officials at the Department with input from SERS officials, it was determined SEGIP benefits are processed based on the service credit granted by SERS. As such, a month of Tollway service should only be included on the monthly extraction if SERS also granted service credit with the associated month of service.

• The monthly extraction from SERS did not include all retirees from the “True Tollway Employees” and “ISP District 15 Support Staff” groups, while some retirees from the Tollway’s other groups were incorrectly included within the monthly extraction.

• The monthly extraction from SERS did not include the State’s costs for “CMS Direct Bill” retirees. These retirees, as their pension is too small to cover their retiree contribution to SEGIP for their benefits, receive a supplemental billing from the Department for balance due.

• Officials at the Tollway and the Department failed to demonstrate the amounts remitted by the Tollway for the pro rata share of its retirees from the “True Tollway Employees” and “ISP District 15 Support Staff” groups to SEGIP were complete and accurate.

 

After bringing these problems to the attention of officials at the Tollway, SERS, and the Department, it was determined there was a net underpayment of contributions to SEGIP for the retirees from the “True Tollway Employees” and “ISP District 15 Support Staff” groups. The Department proceeded to work with Tollway staff to reconcile the underpayment. The Department received a SERS prepared data extraction of OPEB costs associated with retirees from the Tollway for every month starting calendar year 2018 through June of 2021, the data was reviewed and duplicates were removed to arrive at a list of unique retirees. That data was then shared with the Tollway and ISP to review the data and remove any retirees incorrectly included in the report due to their employment with ISP. Additionally, the Tollway provided a list of all Tollway employees that separated from active service from July to December of 2021. All of this data was provided to both SERS and the vendor the Department utilizes for benefits enrollment (vendor). SERS reviewed each individual to validate both their total service credits and their Tollway service credits. The vendor used the data to provide the employer’s cost of group insurance for each month from July 2017 to December 2021 for each retiree. That cost data was then summarized and adjusted to reflect each individuals pro rata share (Tollway service credits divided by total SERS service credits). After subtracting the payments previously made by Tollway for July 2017 to December 2021, it was determined the Tollway’s net underpayment of contributions to SEGIP was $22,297,846. The Tollway agreed with the amount and sent payment to the Department on May 20, 2022.

 

We recommended the Department communicate with the Tollway and SERS so all parties have a complete understanding of both the overall process and Tollway’s various employee groups so the factors unique to each group can be considered in calculating the Tollway’s monthly retiree OPEB cost repayment pursuant to Section 11 of the Act. Further, we recommended that when an understanding has been reached, the parties should enter into a formal, written interagency agreement to memorialize each party’s roles and responsibilities to fulfill this mandate.

 

Lastly, we recommended, that if, after investigation, the Department and the Tollway determine it is not possible and/or not practicable to comply with Section 11 of the Act for future periods, the Department and the Tollway work with the Governor and the General Assembly to develop a legislative remedy that addresses both the financing needs of SEGIP and facilitates financial reporting in accordance with generally accepted accounting principles.

 

The Department accepted the finding and stated the Department is in process of working with both the Illinois Toll Highway Authority and the State Retirement Systems to develop an agreed upon documented process by which each organization provides the necessary inputs and communication to develop an accurate and timely invoicing of the amounts due to the Department from the Tollway. The Department also stated that in addition to the development of the expected written procedure, the Department intends to seek legislative action that will provide for a more consistent treatment of Tollway employees and retirees as they relate to the reimbursement by the Tollway to the Department.

 

 

FAILURE TO ADHERE TO THE PROVISIONS OF THE FISCAL CONTROL AND INTERNAL AUDITING ACT

 

The Department of Central Management Services (Department) entered into interagency agreements that failed to adhere to the provisions of the Fiscal Control and Internal Auditing Act (Act).

 

During the engagement period, the Department was a party to interagency agreements with the following designated State agencies to provide internal audit services:

• Illinois Department of Agriculture

• Illinois Department of Corrections

• Illinois Department of Financial and Professional Regulation

• Illinois Department of Human Rights

• Illinois Department of Labor

• Illinois Department of Insurance

• Illinois Finance Authority

 

We noted the following issues with these interagency agreements:

 

• The Illinois Department of Agriculture, the Illinois Department of Financial and Professional Regulation, the Illinois Department of Human Rights and the Illinois Finance Authority did not have a Chief Internal Auditor during the engagement period and strictly relied on the Department to provide internal audit services. The interagency agreements ultimately resulted in these four agencies not maintaining their own full-time internal audit function. Further, these interagency agreements resulted in the Department’s Chief Internal Auditor not working full time with the Department’s own internal audit function. The Illinois Department of Corrections, the Illinois Department of Labor and the Illinois Department of Insurance utilized internal audit services of the Department during the engagement period, but did appoint their own Chief Internal Auditor. The agreements with the Illinois Department of Labor and the Illinois Department of Insurance were terminated during Fiscal

Year 2021.

• The Department did not obtain the Governor’s approval for the Department to provide professional internal auditing services to these State agencies.

• The Department inconsistently established reimbursement arrangements for these agreements and did not follow any of the reimbursement arrangements in the interagency agreements.

 

We recommended the Department not enter into interagency agreements which result in agencies and the Department not maintaining their own full-time internal audit function. Additionally, we recommended any other services provided to agencies be done only with the approval of the Governor. Further, we recommended the Department consistently establish and enforce reimbursement arrangements for its interagency agreements.

 

The Department accepted the finding and recommendation and stated they are in the process of addressing the identified billing issues, which will allow the necessary changes to the provisions of the intergovernmental agreements and become compliant. The Department also stated that as for the issue identified about the Chief Internal Auditor at Central Management Services providing support for other designated state agencies, the Bureau has now trained multiple staff that are close to being qualified to becoming Chief Internal Auditors and, as such, are committed to exploring options that will entice them to consider these positions.

 

 

INADEQUATE INTERNAL CONTROLS RELATED TO REVIEW OF FINANCIAL STATEMENTS

 

The Office of the Treasurer (Office) had inadequate internal controls over the Office’s Fiscal Officer Responsibilities financial statement adjustment process.

 

During testing of the Statements of Assets and Other Debits, Liabilities and Accountabilities (financial statements), it was determined the Clearing Account Deposits and Deposits in Transit as well as the Agencies’ Deposits Outside the State Treasury accounts were each understated by $1,635,711,097.

 

As the Office collects deposits into the State Treasury from various State of Illinois Agencies, the Office issues a non-negotiable draft for Agencies to utilize in recording the deposits with the Illinois Office of Comptroller (IOC). Throughout the year several Agencies deposited the same non-negotiable drafts with the IOC more than one time. After the IOC accepted and credited these duplicate deposits as new deposits, the Office identified them as duplicates and sent correspondence to the responsible Agencies to rectify the duplication. At June 30, 2021, certain Agencies had not corrected their duplicate deposits. The Office’s cash account reconciliations at June 30, 2021 reported reconciling items which included both the duplicate deposit as well as any other deposits for the day the duplicate occurred. When preparing the financial statements, the Office recorded a journal entry to adjust Clearing Account Deposits and Deposits in-Transit as well as Agencies’ Deposits Outside the State Treasury accounts by the total of all reconciling items reported on their June 30, 2021 cash reconciliations. Only the duplicate deposit portion of the reconciling items would have been double counted in the available cash balance reported by the IOC.

 

We recommended the Office improve controls over the financial reporting process for the Fiscal Officer Responsibilities, specifically verifying information received to prepare financial statements is being appropriately reviewed to facilitate accurate year-end adjustments.

 

The Office accepted the recommendation and stated they have adopted additional review and communication processes to identify and resolve agency duplications to facilitate accurate financial reporting and year-end adjustments. Further, the Office stated they plan to work with the IOC to prevent duplicate non-negotiable drafts from being credited.  

 

 

INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE

 

The Department of Human Services (Department) is in violation of its policies and procedures, as well as, statutory requirements regarding the administration of accounts receivable at its State-Operated Developmental Disabilities (DD) and Mental Health (MH) Centers.  

 

During testing of the Department’s billing and payment of services rendered at its State-Operated DD and MH Centers during the examination period, we noted multiple inconsistencies between the Department’s Program Directive and the performance of daily activities undertaken by the DD and MH Centers’ Recipient Resource Unit staff, the Department’s Central Office Revenue Cash Management Unit staff, and the Department’s Central Office Collections Unit staff. Further, because the Department’s State-Operated DD and MH Centers’ main accounts receivable tracking system is a patient system, we noted the system can lead to inaccuracies in the amounts due.

 

Due to these conditions, we were unable to conclude the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C §205.36) to fully test the Department’s compliance with requirements governing accounts receivable collections procedures at the State-Operated DD and MH Centers.

 

Even given the population limitation noted above which hindered the ability of the accountants to conclude whether selected samples were representative of the population as a whole, we performed on-site testing of 60 residents’ accounts receivable at three of the Department’s State-Operated DD and MH Centers. Our testing resulted in the following exceptions:

 

Elgin Mental Health Center

• For 2 of 45 (4%) residents tested who were Medicaid recipients, Center staff failed to bill the client after discharge.

• For 2 of 22 (9%) residents tested who had left the Facility, Center staff did not send a Notice of Determination (Notice) until years after discharge, instead of a month after discharge. The Notices were sent 118 and 132 months late.

• For 1 of 13 (8%) residents tested with a balance over 180 days old, Center staff failed to notify the Department’s Central Office to write off the account after 180 days of it being outstanding.

The account, as of June 30, 2021, was outstanding for 96 months.

• In the prior examination, we noted $2,107,173 in payments from Medicare, Medicaid, and the Social Security Administration which were not applied to individual client accounts or refunded to the applicable program. In the current examination, Center staff could not provide an update on the unapplied amounts.

 

We recommended Department management update its policies and procedures governing accounts receivable and ensure staff comply with the updated policies and procedures. Additionally, we recommended Department management and staff maintain detailed records of all billings and the corresponding collections to facilitate proper reporting of accounts receivable activity. We also recommended Department management and staff consider writing off delinquent or uncollectible accounts to reflect only realizable amounts.

 

The Department accepted the recommendation and stated its Office of Fiscal Services has updated and implemented accounts receivable procedures. The Department further stated its Division of Mental Health will continue to review policies and procedures over accounts receivable and ensure staff are adequately trained.

 

 

FAILURE TO INSPECT FACILITIES WHERE DEAD ANIMALS OR USED COOKING GREASE AND OIL ARE FOUND

 

The Department of Agriculture (Department) did not comply with the Animal Mortality Act. Specifically, we noted the Department failed to inspect all licensed facilities where dead animals or used cooking grease and oil were found during Fiscal Year 2020 and 2021. According to Department records, there were 33 and 32 active licenses in Fiscal Year 2020 and 2021, respectively.

 

We recommended the Department allocate additional resources to ensure all licensed facilities under this Act are inspected annually as required by State law.

 

The Department accepted this finding but stated the Department’s position is that it is carrying out its regulatory authority as required by the Act.

 

FAILURE TO PERFORM PARITY COMPLIANCE AUDITS OF MANAGED CARE ORGANIZATIONS

 

The Department of Healthcare and Family Services (Department) did not perform parity compliance audits of managed care organizations (MCOs).

 

During testing, we noted the Department has not performed parity compliance audits of MCOs and, therefore, has not made the findings and conclusions of these audits available to the public on the Department’s website. This mandate was added to the Illinois Insurance Code (Code) by Public Act 100-1024, which was effective on January 1, 2019.

 

The Code (215 ILCS 5/370c(d)(3)) requires the Department to perform parity compliance audits of individual and group plans and policies, including, but not limited to, reviews of:

• nonquantitative treatment limitations, including, but not limited to, prior authorization requirements, concurrent review, retrospective review, step therapy, network admission standards, reimbursement rates, and geographic restrictions;

• denials of authorization, payment, and coverage; and;

• other specific criteria as may be determined by the Department.

 

Further, the Code states the findings and the conclusions of the parity compliance market conduct examinations and audits shall be made public.

 

We recommended the Department perform parity compliance audits of MCOs and make the findings and conclusions of those audits available to the public on the Department’s website. In addition, we recommended the Department should ensure, when it requires a contractor to assist it in meeting statutory mandates, the contractor is in place with a fully executed written agreement to comply with the mandate in a timely manner.

 

The Department accepted the recommendation and stated the Department is in the process of performing the required parity compliance audit of the MCOs.

 

 

FAILURE TO MAINTAIN ELECTRONIC RECORDS

 

The Illinois Community College Board (Board) failed to maintain electronic records of its activity during Fiscal Year 2021.

 

On July 1, 2022, the Board’s Information Technology (IT) environment encountered a catastrophic hardware failure, resulting in the total loss of their IT environment, applications, and data. Further, the Board had determined the backups of their IT environment, applications, and data had not been completed successfully. Therefore, the Board’s IT environment, applications, and data did not exist in order for the accountants to conduct an examination to determine the Board’s compliance with the specified requirements as described in the Audit Guide for Financial Audits and Compliance Attestation Engagements of Illinois State Agencies.

 

We recommended the Board continue to work to restore their IT environment, applications, and data. In addition, we recommended the Board ensure its backups complete successfully.

 

Board officials agreed with the finding and indicated the hardware failure occurred during a City of Springfield electrical power outage while powering off and on the aged IT infrastructure. Board IT staff have implemented the following processes to protect IT infrastructure and electronic records during future power outages, which includes the upcoming installation of new servers and backup equipment.

 

1. ICCB, through assistance from vendor expertise, has documented the best procedures and sequence for taking down and bringing back up the current systems to mitigate issues in the event of a power failure. Several unscheduled power outages have occurred since July 2021 with Board IT powering systems back on without issue based on these established procedures.

2. ICCB has instituted a redundant backup process where backups are occurring under two separate solutions and IT has compared each of the backups being performed to ensure that they are the same size, same data, and contain data backed up on the same date.

3. ICCB has purchased new servers and will soon be transitioning to new application servers/backup servers to position ICCB appropriately with a modern IT infrastructure in the event of future power outages or hardware failures. Moving from the current to new systems will ensure resiliency and strengthen current backup processes further.

4. ICCB is in the process of acquiring new backup hardware and software that will be fully integrated with our new and updated server environment.

 

Additionally, the Board is procuring disaster data recovery services with a vendor to assess, perform testing, and recover records stored on the failed hardware, which houses needed electronic records lost from the power outage.

  

 

WEAKNESSES IN SECURITY OVER COMPUTERS

 

The Eastern Illinois University (University) had weaknesses over the security of computers.

 

During the examination period, we noted the University encrypted approximately 15% of its laptop and desktop computers. Furthermore, we noted 1,600 of 1,873 (85%) computers required encryption to be installed.

 

Additionally, we noted 152 hard drives removed from computers sent to the University’s warehouse for surplus had not been properly destroyed or sanitized/wiped of data.

 

We recommended the University ensure all laptops and computer equipment have adequate security such as encryption installed. Additionally, we recommended the University destroy and/or wipe its devices currently held in its internal surplus.

 

University officials agreed with the recommendation and stated they are working to encrypt all laptop computers.

 

 

NONCOMPLIANCE WITH THE ILLINOIS HEALTH POLICY CENTER ACT

 

The University of Illinois (University) did not comply with the requirements of the Illinois Health Policy Center Act (Act).

 

As of June 30, 2021, the University had not created the Illinois Health Policy Center (Center) as required by the Act. The purpose of the Center is to develop and implement policies to improve the health and healthcare of the people of Illinois.

 

The Illinois Health Policy Center Act (110 ILCS 430/10) requires the Illinois Health Policy Center to be created within the University of Illinois, to be sponsored by the University of Illinois at Chicago College of Medicine and the University of Illinois Institute of Government and Public Affairs.

 

We recommended the University comply with the requirements of the Illinois Health Policy Center Act or seek legislative remedy.

 

University officials accepted the recommendation.

 

 

CHILD ABUSE REPORTER TRAINING ACT

 

The Governors State University (University) did not comply with the Abused and Neglected Child Reporting Act (Act) regarding training. Our testing of 35 employees identified:

 

• 11 (31%) employees did not receive the required reporter training within one year of initial employment or within three months of initial employment if they were hired after 1/1/2020.

• 2 (6%) employees for which the University did not have any documentation in which the employee acknowledged the Act’s reporting requirements.

• 9 (26%) employees did not sign the documentation in which the employee acknowledged the reporting requirements of the Act prior to the commencement of employment.

• 18 (51%) employees signed documents after January 1, 2019 acknowledging the reporting requirements of the Act; however the form was not up to date as it did not include information regarding mandated reporter training provided by the Department of Children and Family Services.

 

We recommended the University comply with the requirements of the Act and ensure all employees receive the proper training within the required timeframe, include the proper information in the employee’s signed training statements, and timely obtain signed statements from required employees.

 

University officials agreed with the finding and stated the University will modify its practices to work towards compliance.

 

 

FAILURE TO ESTABLISH AND MAINTAIN ADEQUATE INTERNAL CONTROL OVER THE SPECIAL STATE TRUST FUND

 

The Department of Labor (Department) failed to establish and maintain adequate control over its Special State Trust Fund (Fund 251), which holds unpaid wages due to employees. As of June 30, 2021, Fund 251 had $1,897,262 in cash.

 

Pursuant to the Illinois Wage Payment and Collection Act (WPCA) (820 ILCS 115/11.5(a)), the Department collects, when necessary, an employee’s wages or final compensation due and holds these moneys until the employee (now, claimant) can be located by the Department and properly paid. Additionally, pursuant to the Minimum Wage Law (MWL) (820 ILCS 105/12(b)), the Department collects, when necessary, unpaid minimum wages and overtime due to employees and holds these moneys until the employee (now, claimant) can be located by the Department and properly paid. Finally, the Statewide Accounting Management System (SAMS) (Procedure 05.50.01) notes fiduciary funds account for assets held by a governmental unit in a trustee capacity or as an agent for individuals, and SAMS (Exhibit 27.50.10-A) notes Fund 251 is an agency type of fiduciary fund.

 

During our testing, we noted:

• Two of 60 (3%) claimant payments tested, totaling $5,144, were approved for payment between 14 to 16 days after the Department determined the monies were owed to the claimant.

• We were unable to reconcile the Department’s ledger of claimants to Fund 251’s cash balance from the Monthly Cash Report (SB05) prepared by the Comptroller. We noted unreconciled differences of $1,451,268 and $1,386,031 at June 30, 2020, and June 30, 2021, respectively.

• At June 30, 2021, the Department was holding claimant balances related to activity in previous Fiscal Years. Each of these balances required a proper disposition by the Department.  

 

We recommended the Department take action to ensure:

• claimant payments are promptly processed and paid, along with the posting of proper accounting entries, when distributed from Fund 251;

•reconciliations of the total amount due to claimants at the end of each month to the SB05 report are performed and any unreconciled discrepancies are investigated and properly resolved;

• amounts due to claimants older than one year under the MWL are promptly transferred to the General Revenue Fund, with the timely posting of proper accounting entries; and,

• amounts due to claimants under the WPCA are properly handled under the relevant provisions of RUUPA, with the timely posting of proper accounting entries.

 

The Department accepted the recommendation and stated they are working to identify all unpaid claimants. The Department also stated they have made transfers during Fiscal Year 2022 in accordance with WPCA and MWL and will continue to make a good faith effort in locating claimants prior to transferring funds.

 

 

 

FEDERAL AUDITING

 

STATEWIDE SINGLE AUDIT UPDATE

 

The purpose of the Statewide Single Audit is to fulfill the State mandate in accepting federal funding. It includes all State agencies that are part of the primary government and expend federal awards. In total, 55 Illinois State agencies expended federal financial assistance in FY 2021.

The schedule of expenditures of federal awards reflects total expenditures of $62.4 billion for the year ended June 30, 2021. Overall, the State participated in 294 different federal programs; however, 10 of these programs or program clusters accounted for 88.4% of the total federal award expenditures.

 

Federal Agencies Providing Federal Funding

For the year ended June 30, 2021

(Amounts in millions)

 

Labor:   $ 22,715.3

Health & Human Services:  19,884.9

Agriculture:  7,017.5

Education:  4,940.2

Treasury: 2,946.8

All Others:  4,912.6

Total Federal Award Expenditures: $ 62,417.3

Source: FY2021 State of Illinois Single Audit Report

 

 

Overall, 12 State agencies accounted for approximately 99.0% of all federal dollars spent during FY2021.

 

SUMMARY OF FEDERAL SPENDING BY STATE AGENCY

For the year ended June 30, 2021

(Amounts in millions)

 

Employment Security:  $ 23,820.2

Healthcare & Family Services:  17,177.8

Human Services:  8,000.8

Board of Education:  3,107.3

Student Assistance Commission:  2,487.9

Transportation:  2,382.3

Emergency Management Agency: 2,303.0

Commerce & Economic Opportunity:  986.7

Public Health:  753.9

Children & Family Services:  370.3

Corrections: 264.5

Environmental Protection Agency: 134.6

All Others: 628.0

Total Federal Spending: $ 62,417.3

Source: FY2021 State of Illinois Supplemental Report of

Federal Expenditures by Agency/Program Fund.

 

Our audit testing focused primarily on the 21 major programs expending about $54.3 billion in federal awards.

 

Our report contained 40 findings related to 10 State agencies. 

 

 

The Performance Audit Program

 

Performance audits are conducted at the request of legislators to assist them in their oversight function.  Based on the scope specified in the resolution or the law requesting the audit, State agencies’ programs, functions, and activities are reviewed.  The audits determine if the services are provided as intended by the General Assembly and directly impact and improve agency operations. 

 

The General Assembly uses performance audit information to develop legislation, to deal with budgetary issues, and to direct agencies to improve programs. Some audits produce immediate changes. For example, the 2019 performance audit of the Department of Children and Family Services Investigations of Abuse and Neglect identified several issues related to investigations of child abuse and neglect. Legislation was passed in the Spring of 2019 (Public Act 101-0528) to establish a process by which both unfounded reports and indicated reports of abuse and neglect undergo further review. In addition, the Department is required to file reports about these reviews with the General Assembly. The audit also highlighted issues with the Department’s child abuse hotline. Subsequently, a State Senator requested a review of the hotline. The Department contracted with the University of Illinois’ Children and Family Research Center which conducted the review and issued a report in November 2019 that included 11 recommendations to the Department.

 

In other instances, significant changes may not be seen for several years. The length of time it takes to see changes is due to the process of transforming the audit findings and recommendations into legislative bills and converting bills into law; additionally, once a law is implemented, the effects may not be apparent for some time.

 

The National State Auditors Association (NSAA) established the Excellence in Accountability

Awards Program in 2003 to recognize outstanding performance audits and special projects.  Performance audits performed by the Office of the Auditor General (OAG) have received six NSAA awards in past years:

 

• 2019 Performance Audit of the Department of Children and Family Services Investigations of Abuse and Neglect;

• 2014 Neighborhood Recovery Initiative Audit (Honorable Mention);

• 2012 Management Audit of the Department of State Police’s Administration of the Firearm Owner’s Identification Act;

• 2007 Performance Audit of the Mass Transit Agencies of Northeastern Illinois: RTA, CTA, Metra, and Pace;

• 2004 Management and Program Audit of the Rend Lake Conservancy District; and

• 2003 Management Audit of the Illinois State Toll Highway Authority.

 

Another national organization, the National Legislative Program Evaluation Society (NLPES) also has an Impact Award that is given annually to audits that demonstrate significant dollar savings, program improvements, or impact from a legislative and public perspective.  The OAG has received the NLPES award for many audits as well:

 

• 2021 Performance Audit of the Department of Children and Family Services LGBTQ Youth in Care;

• 2019 Performance Audit of the Department of Children and Family Services Investigations of Abuse and Neglect;

• 2019 Performance Audit of Legionnaires’ Disease at the Quincy Veterans’ Home;

• 2018 Performance Audit of Medicaid Managed Care Organizations;

• 2016 Program Audit of the College of DuPage;

• 2014 Neighborhood Recovery Initiative Audit;

• 2012 Management Audit of the College Illinois!  Prepaid Tuition Program’s Administrative Operations;

• 2012 Management Audit of the Department of State Police’s Administration of the Firearm Owner’s Identification Act;

• 2011 Management Audit of the State’s Financial Reporting System;

• 2010 Program Audit of the Covering ALL KIDS Health Insurance Program;

• 2009 Management and Program Audit of the Illinois State Police’s Division of Forensic Services;

• 2008 Performance Audit of the Department of Healthcare and Family Services’ Prompt Payment Act Compliance and Medicaid Payment Process;

• 2007 Performance Audit of the Mass Transit Agencies of Northeastern Illinois;

• 2006 Management Audit of the Flu Vaccine Procurement and the I-SaveRx Program;

• 2004 Management and Program Audit of the Rend Lake Conservancy District;

• 2003 Management Audit of the Illinois State Toll Highway Authority;

• 2002 Management Audit of Agency Use of Internet User Tracking Technology;

• 2001 State Board of Education and Other State Agencies Providing Funding to Illinois’ Regional Offices of Education;

• 2000 Management Audit of Child Support State Disbursement Unit;

• 1999 Management Audit of the Pilsen Little Village Community Mental Health Center; and

• 1998 Management Audit of Tuition and Fee Waivers. 

 

 

PERFORMANCE AUDITS COMPLETED IN 2022

 

 The Auditor General released three performance audits and three reviews in 2022. The performance audits released are listed below. Performance audits released in 2022 included 16 recommendations for improvement.

 

STATE’S RESPONSE TO THE COVID-19 OUTBREAK AT THE LASALLE VETERANS’ HOME

 

On April 28, 2021, the Illinois House of Representatives adopted House Resolution Number 62, which directed the Office of the Auditor General to conduct a performance audit of the State’s response to the management of the COVID-19 outbreak at the LaSalle Veterans’ Home.

 

Based on tests administered prior to the end of October 2020, 13 residents and staff (8 residents and 5 staff) tested positive. According to the Illinois Department of Public Health (IDPH), by November 4, 2020, 57 residents and staff (46 residents and 11 staff) had tested positive for COVID-19. By the end of November 2020, 203 total positive cases had been identified at the LaSalle Home. According to IDPH, in total, between October 23, 2020 and December 9, 2020, 109 of the Home’s 128 residents (85%) and 88 of the Home’s 231 staff (38%) had tested positive for COVID-19.

 

The audit found:

• Although IDPH officials were informed of the increasing positive cases almost on a daily basis by the Illinois Department of Veterans’ Affairs (IDVA) Chief of Staff, IDPH did not identify and respond to the seriousness of the outbreak. It was the IDVA Chief of Staff who ultimately had to request assistance. The IDVA Chief of Staff inquired about a site visit and about rapid tests (November 9th), and inquired about getting antibody treatments (November 11th) for LaSalle Veterans’ Home residents. From the documents reviewed, IDPH officials did not offer any advice or assistance as to how to slow the spread at the Home, offer to provide additional rapid COVID-19 tests, and were unsure of the availability of the antibody treatments for long-term care settings prior to being requested by the IDVA Chief of Staff.

• The outbreak at the LaSalle Veterans’ Home occurred at a time when COVID-19 cases were trending up statewide. Positive cases in Region 2 (where the LaSalle Home is located) increased from 12,108 in October 2020 to 37,825 in November 2020, an increase of 212.4 percent. Also, the outbreak occurred prior to the COVID-19 vaccine. Prior to the outbreak that began at the end of October 2020, only six staff members had tested positive for COVID-19. Even though the LaSalle Home had designated areas for isolation and quarantine, once the virus entered the Home, it spread very rapidly.

• The time it took to receive staff COVID-19 testing results from the IDPH lab was lengthened by the collection method used by the LaSalle Home. The Home tested staff over a three day period. As a result, new tests of staff collected on November 3rd, 4th, and 5th were not delivered to the IDPH lab until Thursday, November 5th, even though the first two staff members from the outbreak were found to be positive by Sunday, November 1st. The IDPH lab published the majority of the test results on either Friday or Saturday. Therefore, the delay in getting testing results was primarily due to the collection method used by the LaSalle Home. Additionally, the testing method, collecting tests over three days, was not in compliance with the facility’s policy, which allowed for testing over two days.

• IDVA provided auditors with new infection prevention policies on June 17, 2021, which were drafted with the assistance of IDPH, which were officially implemented on April 23, 2021. The purpose of these policies was to establish a comprehensive and integrated infection prevention and control program at all Illinois veterans’ homes.

A system-level Infection Prevention and Control Committee was tasked with standardizing policies and procedures and was required to oversee infection prevention at the Illinois veterans’ homes. These policies also updated infection prevention training requirements for staff at Illinois veterans’ homes.

• The LaSalle Veterans’ Home implemented several infrastructure improvements during FY20 and FY21 as a result of the COVID-19 pandemic and outbreak at the Home. Prior to the outbreak, external firms were commissioned to design and build airborne infection isolation rooms at IDVA Homes, including the LaSalle Home. The construction of the isolation rooms was initiated in March of 2020 and operational by May 23, 2020. Payments made for the construction of the isolation rooms totaled $1,057,470. In total, the cost for all infrastructure improvements from March 2020 through June 2021 totaled $1,162,719.

• The State expended approximately $3.4 million between FY20 and FY21 as a result of the COVID-19 pandemic at the LaSalle Veterans’ Home. According to documentation provided by IDPH and IDVA, expenditures included personal protective equipment (PPE), infrastructure improvements, and COVID-19 testing for both the COVID-19 pandemic as a whole and the outbreak at the LaSalle Home that began in late October 2020. Auditors concluded that the outbreak did not significantly add to the Home’s overall COVID-19-related costs during FY20 and FY21.

• The Department of Human Services’ Office of the Inspector General (DHS OIG) investigation reported that the significance of the outbreak was not being meaningfully tracked by the IDVA Chief of Staff. In fact, auditors found the Chief of Staff provided detailed information to IDPH that was used by the Director of IDPH in her daily COVID19 briefings. IDPH and the First Assistant Deputy Governor for Health & Human Services were provided detailed emails of COVID-19 positive cases and related deaths for each of the four State veterans’ homes by IDVA on November 2nd, 3rd, 4th, 5th, 6th, 9th, 10th, 12th, and 13th. The primary finding of the DHS OIG report, which indicated the “absence of any standard operating procedures in the event of a COVID-19 outbreak,” was flawed. Auditors identified hundreds of pages of guidance provided by IDPH and by the Centers for Disease Control. In addition, COVID-19 policies were formulated by IDVA specifically for the LaSalle Veterans’ Home as well as a Continuity of Operations Plan that was reviewed by the Illinois Emergency Management Agency and was provided to IDPH back in March 2020.

 

The audit report contained three recommendations. Two recommendations were directed to the Department of Veterans’ Affairs and one was directed to the Department of Public Health. The Departments agreed with the recommendations.

 

 

DEPARTMENT OF CHILDREN AND FAMILY SERVICES CHILD SAFETY AND WELL-BEING

 

Public Act 101-0237 (Act) was enacted on August 9, 2019, and it amended both the Children and Family Services Act (20 ILCS 505) and the Abused and Neglected Child Reporting Act (325 ILCS 5). The Act also directed the Auditor General to conduct a performance audit one year after the effective date of January 1, 2020. The audit is to determine if the Department of Children and Family Services (DCFS) is meeting the requirements of the Act. Within two years of the audit’s release, the Auditor General is to conduct a follow-up performance audit in order to determine if DCFS has implemented the recommendations within the initial performance audit.

 

On May 5, 2021, House Resolution 165 was passed which renamed Public Act 101-0237 to “Ta’Naja’s Law,” after Ta’Naja Barnes. Ta’Naja was a two-year-old child who died on February 11, 2019, approximately six months after custody was remanded to her mother. Based on preliminary autopsy findings, her death was due to dehydration, malnourishment, physical neglect, and cold exposure. Ta’Naja Barnes’ mother and her mother’s boyfriend have subsequently been convicted of murder for her death.

 

The audit found:

• Home Safety Checklists are home safety assessments and educational tools that assist in promoting the safety of children. A Home Safety Checklist is to be completed by DCFS whenever it is determined by a court that a child that has been court ordered into foster or substitute care can return to the custody of the parent or guardian. DCFS was unable to provide 192 of the 195 (98%) required Home Safety Checklists within our sample. Additionally, according to DCFS’ website, Home Safety Checklists had still not been updated with required new language as of March 16, 2022.

• Aftercare services are to be provided to the child and child’s family by DCFS or a purchase of service agency, and shall begin on the date upon which the child is returned to the custody or guardianship of the parent or guardian. However, DCFS did not ensure that children and families were receiving the recommended aftercare services for the required six months upon family reunification. Of the 50 cases tested, 29 (58%) did not have at least six months of documented aftercare services, according to information within DCFS’ system of record. In addition, aftercare services procedures were not updated to reflect the new requirements within Public Act 101-0237 until December 28, 2020, almost an entire year after the effective date of the Act.

• Children in DCFS’ care are not receiving their well-child visits/checkups as required by the federal Centers for Medicare and Medicaid Services, the Department of Public Health’s administrative rules, the Department of Healthcare and Family Services handbook for providers, and the American Academy of Pediatrics guidelines, as well as DCFS’ own procedures. Of the 50 cases tested within each category, 9 (18%) were missing at least one physical examination, 7 (14%) were missing at least one vision screening, 28 (56%) were missing at least one hearing screening, and 44 (88%) were missing at least one dental exam, according to data within DCFS’ system of record. There were also numerous data entry errors and inconsistent data entry locations for dates when services were received.

• Auditors attempted to review 50 cases to ensure that children were up to date on their age-appropriate immunizations. However, after reviewing 10 cases, it was determined that the immunizations data within DCFS’ system of record was unreliable for testing. DCFS was able to provide hard copy medical records showing that only nine influenza vaccinations were actually missing.

• The system of record for DCFS, the Statewide Automated Child Welfare Information System (SACWIS), is unable to track or identify child welfare service referrals and child protective investigations that are initiated as a result of the new requirements pursuant to Public Act 101-0237. Because DCFS was unable to provide a population, auditors were unable to test for compliance with the Act.

• When reviewing the organizational chart data provided by DCFS, auditors determined that 3,291 (55%) of the 6,037 positions listed within DCFS’ Operations divisions are categorized as unfunded. Of the 2,746 positions that are categorized as funded, 573 (21%) are vacant.

 

The audit report contained eight recommendations directed to the Department of Children and

Family Services. The Department agreed with the recommendations.

 

 

MEDICAID ELIGIBILITY DETERMINATIONS FOR LONG-TERM CARE

 

On August 25, 2017, the Governor signed into law Public Act 100-380 which amended the Illinois Public Aid Code. This amendment to the Illinois Public Aid Code requires that beginning July 1, 2017, the Auditor General is to report every three years to the General Assembly on the performance and compliance of the Department of Healthcare and Family Services (HFS), the Department of Human Services (DHS), and the Department on Aging (DoA) in meeting the requirements placed upon them by Section 11-5.4 of the Illinois Public Aid Code and federal requirements concerning eligibility determinations for Medicaid long-term care services and supports.

 

This is the second audit (CY18-CY20) on their performance and compliance related to Medicaid eligibility determinations for long-term care. The first audit (CY15-CY17)was released in March 2019 and contained eight recommendations.

 

The audit found:

• Issues related to the Integrated Eligibility System (IES) continued to be identified. These issues surrounded the system’s internal controls as well as the completeness of the data provided. Due to these issues, we determined reviewing the entire population of the applications data would not provide accurate results for the purposes of this audit and instead performed sample testing.

• For the 50 applications tested, we found that only 15 applications (30%) had an eligibility determination completed within the required timelines. On average, the 50 applications were 72 days overdue. We found cases with an HFS Office of the Inspector General (OIG) referral were an average of 125 days overdue while cases without an HFS OIG referral were 47 days overdue.

• In addition, despite differences between the various reports produced by HFS, all three reports reviewed indicated applicants were not receiving their determinations of eligibility in a timely manner. Consequently, the status of the prior recommendation on the timeliness of eligibility determinations was determined to be not implemented.

• DHS and HFS noted that an IES system enhancement was established to address the processing delays related to OIG asset investigations. However, applications involving HFS OIG asset discovery investigations continued to be overdue during this audit period. The prior audit found that applications involving asset discovery investigations were an average of 114 days overdue. For this audit, we tested 16 cases referred to the HFS OIG in fiscal year 2020 to follow up on this recommendation. During this testing, we found that applications involving asset discovery referrals were an average of 125 days overdue.

• In addition, multiple issues were identified for these HFS OIG cases during our review. These issues included incorrect information in IES and a lack of controls in IES. As a result, the status of the recommendation on processing delays related to HFS OIG asset discovery investigations was determined to be partially implemented.

• DHS and HFS continued to not adequately track extensions in IES during this audit period. For the 13 extension cases reviewed, 10 cases (77%) contained issues such as inaccurate IES data, a lack of extension information in IES, or more than two extensions. According to HFS, a defect was discovered during the audit that affected the accuracy of the data in IES. As a result, the status of the recommendation on extension tracking was determined to be not implemented.

• The prior audit found the LTC monthly reports did not contain all elements as required by statute. We reviewed the LTC monthly reports for calendar years 2018 to 2020 and found HFS had added missing elements to the reports but was not providing all the information as required. As a result, the status of this recommendation on the LTC monthly report completeness was determined to be partially implemented.

• During the prior audit, we found the LTC monthly reports were not accurate due to duplicate entries and other issues with the source data and a potential overstatement of the number of days applications are pending. During this audit, we reviewed the monthly reports for calendar years 2018 to 2020 and found similar issues with accuracy that were identified during the prior audit. We also found 11 of 50 applicants tested (22%) had a reported disability which would allow 60 days for processing those applications.

• We also requested LTC data on the total number of redeterminations completed during the audit and found the redeterminations data in the monthly reports contained multiple issues. Therefore, the status of the recommendation on the LTC monthly report accuracy was determined to benot implemented.

• Public Act 100-380 requests the Auditor General to review and evaluate the efficacy and efficiency of the task-based process used for making eligibility determinations in the centralized offices of DHS for LTC services. During this audit period, DHS made the decision to move away from the task-based system to a new facility-based system. According to DHS, there were significantly more pros and less cons for the facility-based approach. Although the decision to switch to the facility-based approach appeared to be reasonable, additional follow-up will need to be conducted during the next audit period. In addition, the agencies need to address the issue of IES not fully supporting the facility-based model before the required review of this during the next audit period.

 

The audit report contained five recommendations directed to DHS and HFS. DHS and HFS agreed with the recommendations.

 

 

REGIONAL OFFICES OF EDUCATION AUDITS

 

In addition to other duties, the Auditor General has the responsibility for annual audits of the financial statements of the regional superintendent of schools of each educational service region in the State.

 

There were a total of 38 Fiscal Year 2021 audits the Performance Audit Division had the responsibility for: 35 of Regional Offices of Education (ROEs) and 3 of Intermediate Service Centers (ISCs). Our Office arranged for auditing firms to perform these audits under the general direction and management of the Auditor General’s audit managers.

 

The FY21 ROE audits released in 2021-2022 contained a total of 45 recommendations for improvement. Most of the recommendations dealt with the ROEs not having sufficient internal controls including controls over their financial reporting processes.

 

 

 

PERFORMANCE AUDITS IN PROGRESS

 

 

ILLINOIS DEPARTMENT OF EMPLOYMENT SECURITY’S UNEMPLOYMENT PROGRAMS

 

On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 158, which directed the Office of the Auditor General to conduct a performance audit of the unemployment programs administered by the Illinois Department of Employment Security during the period of March 1, 2020, to September 6, 2021. The audit was to specifically include, but not be limited to, the following determinations:

1. A review of the application and review processes and the payment of benefits to individuals focusing on any fraud or inefficiencies which could be eliminated to contain costs and improve the delivery of benefits to eligible individuals;

2. To the extent feasible, a detailed account of the funds allegedly disbursed to ineligible and/or fraudulent claimants;

3. The types of unemployment fraud schemes the Illinois Department of Employment Security has experienced and what steps and procedures it has taken to detect and respond to fraudulent unemployment claims and whether it has cooperated with the Illinois Attorney General or federal authorities to detect, counter, and prosecute potentially fraudulent cases;

4. Whether the Illinois Department of Employment Security has complied with all State and federal statutory and administrative requirements for processing and auditing unemployment claims;

5. An examination of the Illinois Department of Employment Security’s decision not to implement additional fraud-prevention tools in April 2020as recommended by the federal government and a report on whether the State has, since that time, come into compliance with federal recommendations;

 6. What factors caused and continue to cause delays in the Illinois Department of Employment Security’s processing of unemployment claims, looking particularly at administrative decisions, technology, and staffing, and what steps the Illinois Department of Employment Security has taken to alleviate these delays;

7. What third-party contractors did the Illinois Department of Employment Security utilize during this time period and were any of these contracts no-bid contracts; did a third-party contractor calculate weekly benefit amounts for Pandemic Unemployment Assistance claimants and, if so, were there any procedures to verify the accuracy of their calculations; did third-party contractors meet the performance measure established by the Illinois Department of Employment Security prior to the issuance of the contracts; and

8. A summary of the average case processing time, the timeliness of benefit payments, and the accuracy of these payments.

 

 

BUSINESS INTERRUPTION GRANT PROGRAM

 

On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 159, which directed the Office of the Auditor General to conduct a program audit of the Business Interruption Grant (BIG) program for the period March 2020 to July 2021. The audit was to specifically include, but not be limited to, the following determinations:

 

1. An examination of the application process,the documentation submitted, and the selection of grants by DCEO, DHS, and DOA for the BIG program;

2. An examination of the monitoring oversight by DCEO, DHS, and DOA for grant recipients including whether all eligibility requirements were satisfied and expenses submitted were allowable;

3. An examination of how DCEO allocatedfunding in the BIG program to disproportionately impacted areas and whether the allocation was at least 30 percent of total funding;

4. An examination of DCEO compliance with prioritizing severely impacted businesses and industries;

5. An examination of the role of the Community Navigators, if any, in the selection of grant recipients in the BIG program; and

6. An examination of the actions taken by DCEO, DHS, and DOA when a BIG participant was not in compliance with any step in the application process or made a material misrepresentation in reporting on the use of funds provided as part of the BIG program.

 

 

STATE’S BOARDS AND COMMISSIONS

 

On April 4, 2022, the Illinois House of Representatives adopted House Resolution 677, which directed the Office of the Auditor General to conduct a management audit of the State’s boards and commissions. The audit was to specifically include, but not be limited to, the following for every known State board and commission:

1. Its name and purpose;

2. The number of appointed members and the number of vacancies and the length of the vacancies;

3. Costs of member stipends, salaries, and per diems and expense reimbursements to members and State officials and employees for attending board and commission meetings during Fiscal Years 2021 and 2022;

4. The date of each of the board’s or commission’s meetings during Fiscal Years 2021 and 2022 and the number of members in attendance and the number of members absent; and

5. Identification of any report or work product prepared and made available by the board or commission during Fiscal Years 2021 and 2022.

 

 

PHARMACY BENEFIT MANAGERS

 

On April 9, 2022, the Illinois Senate adopted Senate Resolution 792, which directed the Office of the Auditor General to conduct a performance audit of the Department of Healthcare and Family Services’ administration of pharmacy benefit managers. The audit was to specifically include, but not be limited to, the following determinations:

1. The amount of State and federal funds used by managed care organizations to reimburse pharmacy benefit managers and, in time, the amount paid by pharmacy benefit managers to reimburse pharmacies for fiscal years 2020 and 2021;

2. An examination of contracts between managed care organizations and pharmacy benefit man- agers and between pharmacy benefit managers and pharmacies receiving reimbursement;

3. The level of oversight the Department of Healthcare and Family Services provides over the contracts and over the pharmacy benefit managers to ensure compliance with contract requirements;

4. An overview of the distribution of and payments for pharmaceuticals in the medical assistance managed care program;

5. A review of the reimbursement practices and reimbursement rates of managed care organizations to pharmacy benefit managers; and

6. A review of the reimbursement practices and reimbursement rates of pharmacy benefit managers to pharmacies, including out-of-state pharmacies and pharmacies affiliated with pharmacy benefit managers.

 

 

COVERING ALL KIDS HEALTH INSURANCE PROGRAM (FISCAL YEARS 2019-2022)

 

Public Act 95-985 amended the Covering ALL KIDS Health Insurance Act [215 ILCS 170/63] and directed the Auditor General to annually audit the ALL KIDS program. Public Act 101-0272 further amended the Covering ALL KIDS Health Insurance Act. The Act now requires the Auditor General to perform an audit of the Program on or before June 30, 2022 and every 3 years thereafter (rather than annually).

 

This will be the 11th audit and will cover fiscal years 2019 – 2022. The focus of this audit will be on “EXPANDED ALL KIDS,” which is the portion of the ALL KIDS program that serves uninsured children not previously covered by KidCare (children whose family income was greater than 200% of the federal poverty level or who were undocumented immigrants).

 

 

IDOT’S DISADVANTAGED BUSINESS ENTERPRISE (DBE) CERTIFICATION PROGRAM

 

On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 160, which directed the Office of the Auditor General to conduct a performance audit of the Illinois Department of Transportation’s certification of businesses as DBEs (Disadvantaged Business Enterprise) through the Illinois Unified Certification Program (IL UCP). The audit was to specifically include, but not be limited to, the following determinations:

 

1. Whether certification and recertification procedures are adequate to assure that businesses certified by IDOT in the IL UCP are legitimately classified as businesses owned and controlled by minorities, females, or persons with disabilities;

2. Whether the established procedures and processes that govern certification of businesses owned and controlled by minorities, females, or persons with disabilities are being followed;

3. Whether staff responsible for certification of these businesses have received adequate training;

4. What steps are followed to verify information provided by businesses certified by IDOT in the IL UCP, such as review of pertinent documentation, interviews, and on-site visits;

5. Whether the certifications are periodically reviewed to ensure that businesses in the program continue to be qualified for participation;

6. Whether procedures for enforcing compliance with federal regulations, including contract termination and contractor suspension, are adequate and uniformly enforced; and

7. Whether recent DBE goals established by IDOT have been met.

 

 

REGIONAL OFFICES OF EDUCATION

 

Since 2002, the School Code (105 ILCS 5/2-3.17a) has required the Auditor General’s Office to conduct annual audits of the financial statements of all accounts, funds, and other moneys in the care, custody, or control of the regional superintendent of schools of each educational service region in the State. For Fiscal Year 2022, a total of 38 audits are to be performed.

 

 

 

OAG FRAUD HOTLINE

 

The Auditor General’s Office is required by law [30 ILCS 5/2-15, added by P.A. 97-261, effective August 5, 2011] to operate a toll-free fraud hotline for the public to report allegations of fraud in the executive branch of State government. The hotline went into operation at the beginning of January 2012.

 

The toll free number is 1-855-217-1895. The hotline is available 24 hours a day, 7 days a week. Live operators are generally available Monday-Friday from 8:00 a.m. to 4:00 p.m. (CST).

 

In addition to calling the toll-free number, other options have been established for the public to report allegations of fraud. The public may also:

• Complete the Fraud Reporting Form on-line located on the OAG web-site (www.auditor.illinois.gov);

• E-mail a description of the allegation to: Hotline@auditor.illinois.gov;

• Contact the Auditor General via telecommunications device for the disabled (TTY) at 1-888-261-2887; or

 • Send a written report via the U.S. Postal Service to the following address:

Fraud Hotline, Auditor General’s Office, 740 E. Ash St., Springfield, IL 62703.

 

Individuals reporting alleged fraud to the hotline may remain anonymous. However, if the individual chooses not to be identified, the Office’s ability to follow up on the allegation may be limited.

 

More information regarding the reporting of fraud allegations can be found at the Fraud Hotline section of the OAG website. Jurisdiction of the Fraud Hotline does not include the legislative or judicial branches of government, nor units of local government. Other resources the public may use to report fraud if it is outside of the jurisdiction of the OAG can also be found on the website. Even if the Auditor General’s Office does not have jurisdiction over the allegation, our hotline manager will try to direct the caller to another State, federal, or local agency that may be able to help.

 

 

 

The Information Systems Audit Program

 

Computers are an integral part of State government, processing billions of dollars in financial transactions each year and helping control the operations of State agencies. Since financial transactions and confidential information are processed using computers, audits of information system activities are necessary to ensure that computer processing is secure and accurate.

 

TESTING CONTROLS AND SYSTEMS

 

The Auditor General’s office plans to continue to emphasize the review of information system controls at State agencies. We performed information system reviews at the following agencies:

 

Department of Agriculture, Department of Central Management Services, Eastern Illinois University, Illinois Emergency Management Agency, Department of Employment Security, Governors State University, Department of Healthcare and Family Services, Department of Human Services, Department of the Lottery, Northeastern Illinois University, Department of Public Health, Office of Secretary of State, Office of the Treasurer, State Universities Retirement System, and Western Illinois University.

 

To enhance the control environment, the Auditor General has emphasized the review of cybersecurity, networks, access rights, and the security and control of confidential information. These reviews have focused on the necessity of establishing consistent and effective security policies and programs, performing comprehensive risk assessments, and implementing comprehensive security techniques on all computer systems.

 

 

ISA FINDINGS

 

 Eleven agencies ­­— Eastern Illinois University, Illinois Emergency Management Agency, Department of Employment Security, Governors State University, Illinois State University, Illinois Labor Relations Board, Department of the Lottery, Northeastern Illinois University, Southern Illinois University, State Police Merit Board, and University of Illinois ­­— had not established adequate controls for securing their computer resources.  We recommended that these agencies evaluate their computer environments and ensure adequate security controls and policies exist to safeguard computer resources.  

 

Eight agencies — Illinois Conservation Foundation, Department of Employment Security, Governors State University, Liquor Control Commission, Northeastern Illinois University, Department of Public Health, Office of Secretary of State, and Southern Illinois University ­­— had not completed all requirements to demonstrate full compliance with the Payment Card Industry Data Security Standards.   We recommended that these agencies at least annually, assess each program accepting credit card payments, review and validate its environment, and ensure agreements with service providers are current and maintained. 

 

Nine agencies — Department of Agriculture, Chicago State University, State Board of Elections, Department of Employment Security, Department of Healthcare and Family Services, Department of Human Services, Department of Labor, Department of the Lottery, and Illinois Workers’ Compensation Commission — had not implemented an effective change management processes to ensure changes to computer applications were properly approved, tested, and documented.   We recommended that these agencies develop and implement change management standards to ensure adequate oversight of all changes to computer applications.

 

Nineteen agencies — Chicago State University, Department of Central Management Services,  Illinois Criminal Justice Information Authority, State Employees Retirement System, Department of Employment Security, Office of Executive Inspector General, General Assembly Retirement System, Governors State University, Department of Human Rights, Department of Human Services, Judges Retirement System, Department of Labor, Illinois Liquor Control Commission, Department of the Lottery, Illinois Mathematics and Science Academy, Northeastern Illinois University, Northern Illinois University, Office of Secretary of State, and Illinois Worker’s Compensation Commission — had not developed or implemented access provisioning policies to ensure access rights to computer systems were properly controlled.  We recommended that these agencies develop and implement access provisioning policies to ensure access rights are approved, disabled timely, and periodically reviewed. 

 

Twenty-nine — Department of Agriculture, Illinois Arts Council, Chicago State University, Illinois Conservation Foundation, Eastern Illinois University, State Board of Elections, Illinois Emergency Management Agency, State Employees’ Retirement System, Department of Employment Security, Office of Executive Inspector General, Illinois Finance Authority, Department of Healthcare and Family Services, Department of Human Rights, Department of Human Services, Department of Labor, Department of the Lottery, General Assembly Senate, Governors State University, Guardianship and Advocacy Commission, Illinois Mathematics and Science Academy, Northeastern Illinois University, Northern Illinois University, Department of Public Health, Office of Secretary of State, Southern Illinois University, Supreme Court, State Universities Retirement System, Western Illinois University, and Illinois Workers’ Compensation Commission — did not perform and document internal control reviews of all external data processing related service providers. We recommended that these agencies obtain or perform independent reviews of internal controls associated with service providers at least annually.

 

Twenty-one agencies — Abraham Lincoln Presidential Library and Museum, Department of Agriculture, Illinois Arts Council, Department of Central Management Services, Chicago State University, State Board of Elections, State Employees Retirement System, Department of Employment Security, Office of Executive Inspector General, Department of Healthcare and Family Services, Illinois Housing Development Authority, Department of Human Rights, Department of Human Services, Illinois State University, Department of Labor, Department of the Lottery, Illinois Mathematics and Science Academy, Northeastern Illinois University,  Office of Secretary of State, University of Illinois, and Illinois Worker’s Compensation Commission — had not adequately developed or tested recovery plans to provide for continuation of critical computer operations in the event of a disaster.  We recommended that these agencies develop and test disaster contingency plans.

 

 

Cybersecurity Audits

 

Public Act 100-914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of January 1, 2019.

 

Sec. 3-2.4. Cybersecurity audit.

 

(a) In conjunction with its annual compliance examination program, the Auditor General shall review State agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information.

 

(b) The review required under this Section shall, at a minimum, assess the following:

 

(1) the effectiveness of State agency cybersecurity practices;

            (2) the risks or vulnerabilities of the cybersecurity systems used by State agencies;

            (3) the types of information that are most susceptible to attack;

            (4) ways to improve cybersecurity and eliminate vulnerabilities to State cybersecurity systems; and

            (5) any other information concerning the cyber-security of State agencies that the Auditor General deems necessary and proper

 

(c) Any findings resulting from the testing conducted under this section shall be included within the applicable State agency’s compliance examination report.

 

To address the amendment, on the compliance examinations for the period ended June 30, 2020 we did the following:

•Updated the Compliance Audit Guide to include specific questions concerning cybersecurity practices, policies and procedures, training, roles and responsibilities, risk assessments, and data classifications. In addition, we provided guidance to assist audit staff and contractors in obtaining and reviewing documentation to support responses.

• Performed detailed testing at 26 agencies considered higher risk as part of the June 30, 2021 compliance examinations. We provided these agencies with detailed information regarding our analysis and, if appropriate, we developed findings.

 

As a result of our process for June 30, 2021 examinations, we identified significant weaknesses at 42 agencies: Abraham Lincoln Presidential Library and Museum, Department of Agriculture, Illinois Arts Council, Department of Central Management Services, Chicago State University, Illinois Criminal Justice Information Authority, Eastern Illinois University, State Board of Elections, Illinois Emergency Management Agency, State Employees’ Retirement System, Department of Employment Security, Office of Executive Inspector General, Illinois Finance Authority, General Assembly House, General Assembly Senate, Commission on Government Forecasting & Accountability, Office of Governor, Governors State University, Guardianship and Advocacy Commission, Department of Healthcare and Family Services, Illinois Housing Development Authority, Department of Human Rights, Department of Human Services, Illinois State University, Department of Labor, Legislative Reference Bureau, Office of Lieutenant Governor, Liquor Control Commission, Department of the Lottery, Illinois Mathematics and Science Academy, Northeastern Illinois University, Department of Public Health, Office of Secretary of State, Southern Illinois University, Supreme Court, Supreme Court Historic Preservation Commission, Teachers’ Retirement System, State Universities Civil Service System, State Universities Retirement System, University of Illinois, Western Illinois University, and Illinois Workers’ Compensation Commission.

 

To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they:

• Establish and document cybersecurity roles and responsibilities.

• Establish and communicate policies, procedures and processes to manage and monitor the regulatory, legal, environmental and operational requirements.

• Perform a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.

• Classify data to establish the types of information most susceptible to attack to ensure adequate protection.

• Ensure all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.

• Evaluate and implement appropriate controls to reduce risk of attack.

 

We will continue to review cybersecurity programs and practices in our June 30, 2022 compliance examinations.

 

Agency officials generally concurred with our recommendations concerning these issues.

 

The information systems audit staff also reviewed and tested the systems and procedures at the Department of Innovation and Technology. We released three System and Organization Control (SOC) Reports regarding the Department’s control environment. 

 

 

Information Technology Hosting Services

 

The Department provides Information Technology Hosting Services for state agencies.

 

This SOC Report contained an adverse opinion as result of:

• The “Description of the State of Illinois, Information Technology Hosting Services” contained inaccuracies and omissions.

• The controls related to the trust services criteria stated in the “Description of the State of Illinois, Information Technology Hosting Services” were not suitably designed to provide reasonable assurance the trust services criteria would be achieved.

• The controls related to the trust services criteria stated in the “Description of the State of Illinois, Information Technology Hosting Services” did not operate effectively.

 

 

Information Technology Shared Services

 

This SOC Report contained an adverse opinion as a result of:

• The “Description of the Information Technology Shared Services System for the Information Technology General Controls and Application Controls” contained inaccuracies.

• The controls related to the control objectives stated in the “Description of the Information Technology Shared Services System for the Information Technology General Controls and Application Controls” were not suitably designed to provide reasonable assurance the control objectives would be achieved.

• The controls related to the control objectives stated in the “Description of the Information Technology Shared Services System for the Information Technology General Controls and Application Controls” did not operate effectively.

 

 

State of Illinois, Enterprise Resource Planning System

 

The Enterprise Resource Planning System is utilized by state agencies. 

 

This SOC Report contained a qualified opinion as a result of:

• The “Description of the State of Illinois, Enterprise Resource Planning System for the IT General Controls and Application Controls” contained inaccuracies.

• The controls related to the control objectives stated in the “Description of the State of Illinois, Enterprise Resource Planning System for the IT General Controls and Application Controls” were not suitably designed to provide reasonable assurance the control objectives would be achieved.

• The Department did not ensure its controls over the State’s Enterprise Resource Planning System operated effectively.

 

As a result of the modified opinions, auditors of these agencies will likely modify the agency-level risk assessments to accommodate the additional risk to agencies and perform additional procedures to properly address these risks.

 

Department officials accepted the recommendations in the SOC reports.

 

 

Other Office Responsibilities

 

 

ANNUAL AUDIT ADVISORY

 

Every year, the Auditor General’s Office distributes an Illinois Audit Advisory to all State agencies for the purpose of sharing information that may make their operations more efficient and effective, and increase compliance with State law. Copies of this audit advisory are available on our website at: www.auditor.illinois.gov.

 

 

Comptroller’s Accounting System Review

 

The Auditor General is required by law to annually review the Comptroller’s Statewide accounting system. This review is accomplished through the Office’s audit of the State Comptroller, and by ensuring that all agency audits are performed in accordance with the Auditor General’s Audit Guide.

 

In addition, the Auditor General annually reviews the State Comptroller’s pre-audit function. Pre-audit is the primary control over expenditure voucher processing. The State Comptroller pre-audits financial transactions to determine if they are proper and legal.

 

 

PEER REVIEW

 

Peer review is an external quality control review conducted every three years by audit professionals from across the United States who are selected by the National State Auditors Association. The peer review helps to ensure that our procedures meet all required professional standards, comply with Government Auditing Standards, and produce reliable products for the agencies we audit.

 

The September 2020 peer review of the Auditor General’s audit processes resulted in an unmodified (clean) opinion. Additionally, the peer review team did not note any deviations from professional standards that would have required a written letter of comments. Our prior peer reviews, conducted in 1996, 1999, 2002, 2005, 2008, 2011, 2014 and 2017 likewise resulted in unmodified opinions. Our next peer review is slated for 2023.

 

 

STATE ACTUARY

 

Public Act 97-694, effective June 18, 2012, directed the Auditor General to “contract with or hire an actuary to serve as the State Actuary.” Among its duties, the State Actuary is required to “review assumptions and valuations prepared by actuaries retained by the boards of trustees of the State-funded retirement systems” and “issue preliminary reports...concerning proposed certifications of required State contributions submitted to the State Actuary by those boards.” [30 ILCS 5/2-8.1 (a) and (b)] In addition, Public Act 100-465, effective August 31, 2017, added a similar requirement for the State Actuary to review the Public School Teachers’ Pension and Retirement Fund of Chicago.

[40 ILCS 5/17-127(e)] Through a competitive proposal process, the Auditor General awarded a contract in August 2012 to Cheiron, a full-service actuarial and consulting firm.

 

Cheiron issued its preliminary reports to the public retirement systems on December 1, 2022. As required by statute, the Auditor General submitted a written report to the General Assembly and Governor on December 21, 2022, documenting the initial assumptions and valuations prepared by the actuaries retained by the boards of trustees of the State-funded retirement systems, the State Actuary’s preliminary reports, and the responses of each board to the State Actuary’s recommendations.

 

The report is available in its entirety on our website at www.auditor.illinois.gov. 

 

 

Continuing Professional Education and Training Requirements

 

The U.S. Government Accountability Office established Government Auditing Standards (the Yellow Book) for performing high-quality audit work with competence, integrity, objectivity, and independence to provide accountability and to help improve government operations and services.

 

The Yellow Book standard relating to competence specifies that management must assign auditors to conduct the engagement who collectively possess the competence needed to address the engagement objectives and perform their work in accordance with Generally Accepted Government Auditing Standards (GAGAS).

 

Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of continuing professional education (CPE) every 2 years. A minimum 24 hours of that CPE should be directly related to the government environment, government auditing, or the specific or unique environment in which the audited entity operates. The remaining 56 CPE hours should be in subject matter that directly enhances auditors’ professional expertise to conduct engagements. Auditors should complete at least 20 hours of CPE in each year of the 2-year period. 

 

Auditors hired or assigned to a GAGAS engagement after the beginning of the 2-year CPE period may complete a prorated number of CPE hours. Also, auditors who charge less than 20 percent of their time annually to engagements conducted in accordance with GAGAS and are not involved in planning, directing, or reporting on the engagement need only complete the 24-hour requirement. 

 

The most recently completed 2-year period for CPE requirements as measured by the Office of the Auditor General was January 1, 2021, through December 31, 2022. All auditors, audit directors, and information specialists required to meet the CPE standards were in compliance for this 2-year period.

 

Additionally, the Office of the Auditor General is a registered sponsor with the Illinois Department of Financial and Professional Regulation, and complies with the rules of the Illinois Public Accounting Act. 

 

 

CLAIMS DUE THE STATE AND METHODS OF COLLECTION

 

As required by law [30 ILCS 205/2 (k)], the Office of the Auditor General is reporting that there were no outstanding claims administered by the Office that were due and payable to the State as of December 31, 2022. The accounts receivables generated by our Office primarily represent billings to other State agencies for reimbursement of audit costs. Reimbursements for federal single audits are deposited into the General Revenue Fund. Reimbursements for audits not associated with federal single audits are deposited or transferred to the Audit Expense Fund. If normal collection methods fail, we request assistance from the Office of the Attorney General. To date we have never used the services of a private collection agency.

 

 

SUMMARY OF APPROPRIATIONS AND EXPENDITURES

 

The Office of the Auditor General was funded by appropriations from the General Revenue Fund and Audit Expense Fund for Fiscal Year 2022 (July 1, 2021 to September 30, 2022, including lapse period).

 

FY 2022 - FINAL

(Appropriation; Expended; Balance)

 

GRF Operations:
Personal Services . . . . . . . . . . . . . . . . . . . . . . . .$6,539,700. . . . . . . .$6,537,695 . . . . . . . . . . . $2,005
Social Security . . . . . . . . . . . . . . . . . . . . . . . . . . .$481,000. . . . . . . . . .$476,500. . . . . . . . . .  . $4,500
Contractual Services . . . . . . . . . . . . . . . . . . . . . . .$610,000 . . . . . . . . .$606,928 . . . . . . . . . .   $3,072
Commodities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$300 . . . . . . . . . . . . .$190 . . . . . . . . . . . . .$110
Paper and Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0
Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0
EDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0
Telecommunications . . . . . . . . . . . . . . . . . . . . . . . .$16,000 . . . . . . . . . . $14,066 . . . . . . . . . . .$1,934
Operation of Automotive Equipment . . . . . . . . . . . . . . .$0 . . . . . . . . . . .  . . . .$0 . . . . . . . . . . . . . . .$0
GRF Operations Total . . . . . . . . . . . . . . . . . . .$7,647,000 . . . . . . . .$7,635,379 . . . . . . . . . . $11,621
Audit Expense Fund:
Audits/Studies/Investigations . . . . . . . . . . . . .  $30,095,422 . . . . . . .$26,262,923. . . . . . . . $3,832,499