State of Illinois
Office of the Auditor General
2024 Annual Report
March 1, 2025
The Honorable Members of the General Assembly
The Legislative Audit Commission
The Honorable JB Pritzker, Governor
Citizens of Illinois
Ladies and Gentlemen:
Enclosed is the Annual Report of the Auditor General’s Office, submitted in compliance with Section 3-15 of the Illinois State Auditing Act.
The mission of the Auditor General’s Office has been, and will continue to be, to present objective, balanced and independent audits. I believe this Annual Report reflects the Office’s success in fulfilling that goal during calendar year 2023.
I would like to thank the members of the General Assembly, members and staff of the Legislative Audit Commission, and the staff of the Auditor General’s Office, through whose efforts the reported accomplishments were made possible.
Yours truly,
FRANK J. MAUTINO
Auditor General
Overview
Frank J. Mautino became Auditor General of the State of Illinois on January 1, 2016. Prior to his appointment as Auditor General, Mr. Mautino was a member of the Illinois House of Representatives, and served as a co-chairman of the Legislative Audit Commission.
As a constitutional officer, the Auditor General audits public funds of the State and reports findings and recommendations to the General Assembly and to the Governor. The establishment of the Auditor General under the Legislature is important. It ensures that the Legislature, which grants funds and sets program goals, will ultimately review program expenditures and results. Thus, agencies are accountable to the people through their elected representatives.
The Auditor General’s Office performs several types of audits to review State agencies. Financial audits and Compliance examinations are mandated by law. They disclose the obligation, expenditure, receipt, and use of public funds. They also provide agencies with specific recommendations to help ensure compliance with State and federal statutes, rules and regulations.
Performance audits are conducted at the request of legislators to assist them in overseeing government. Programs, functions, and activities are reviewed according to the direction of the audit resolution or law directing the audit. The General Assembly may then use the audit recommendations to develop legislation for the improvement of government.
Information Systems audits are performed on the State’s computer networks. They determine whether appropriate controls and recovery procedures exist to manage and protect the State’s financial and confidential information.
Copies of all audits are made available to members of the Legislature, the Governor, the media, and the public. Findings include areas such as accounts receivable, computer security, contracts, expenditure control, leases, misappropriation of funds, personnel and payroll, property control, purchasing, reimbursements, telecommunications, and travel.
Audit reports are reviewed by the Legislative Audit Commission in a public hearing attended by agency officials. Testimony is taken from the agency regarding the audit findings and the plans the agency has for corrective action. In some cases, the Commission may decide to sponsor legislation to correct troublesome fiscal problems brought to light by an audit. All outstanding recommendations are reviewed during the next regularly scheduled audit of an agency or, if the Commission requests, a special interim audit may be conducted.
Public Information
An audit and its supporting workpapers, unless confidential by, or pursuant to, law or regulation, are public documents once the report has been officially released to the Legislature, the public, and the press. These documents are available for review in our Springfield and Chicago offices.
The following information is also available by request:
• Late Filing Affidavits
• Emergency Purchase Affidavits
Information about the Auditor General is available on the Internet. This information includes report summaries and full report texts.
Our internet web site address is: www.auditor.Illinois.gov
Our e-mail address is: audgen@auditor.illinois.gov
Public information is available by writing:
FOIA Officer
Office of the Auditor General
400 West Monroe, Suite 306
Springfield, IL 62704-9849
Springfield:
Telephone: (217) 782-6046
Fax: (217) 785-8222
Chicago:
Telephone: (312) 814-4000
Fax: (312) 814-4006
TTY: (888) 261-2887
Our Fraud Hotline is: Toll-Free: (855) 217-1895
Visit our web site at www.auditor.Illinois.gov for full details or for an on-line reporting form.
Organizational Chart
As of December 31, 2024, there were 74 employees. Sixty-nine were located in the Springfield Office and five in the Chicago Office.
THE COMPLIANCE EXAMINATION PROGRAM
The Auditor General is required by the Illinois State Auditing Act to conduct, as is appropriate to the agency’s operations, a financial audit and/or compliance examination of every State agency at least once every two years. These audits and examinations inform the public, the Legislature, and State officers about the obligation, expenditure, receipt, and use of public funds, and provide State agencies with recommendations to help ensure compliance with State and federal statutes, rules, and regulations.
The Financial and Compliance Audit Division of the Office of the Auditor General (Office) conducted engagements at 87 agencies during the FY 2023 audit cycle. These engagements encompassed compliance examinations, financial audits, and federal single audits. Staff auditors conducted 13 of these audits. The remainder were performed by public accounting firms under the general direction and management of the Auditor General’s audit managers.
The Illinois Constitution of 1970 revised and expanded the traditional financial audits conducted of State agencies to focus on compliance with legislative intent and proper performance of governmental operations, as well as financial accountability.
The compliance program has a positive impact on the operations of State government because agencies implement many of the recommendations made in these reports. Compliance reports are also reviewed by the Legislative Audit Commission, where legislators question agency directors about audit findings and the corrective action they plan to take. Legislators and their staffs also use compliance reports during appropriation hearings in the spring legislative session. To maximize the usefulness of audit information, the Office attempts to deliver audits as early as possible in the legislative session
ACCOUNTABILITY
A number of reports issued since our last report had findings that were critically important from an accountability standpoint. A brief summary of some of these findings follows.
FAILURE TO MAINTAIN ACCURATE AND COMPLETE PANDEMIC UNEMPLOYMENT ASSISTANCE CLAIMANT DATA
The Department of Employment Security (Department) failed to maintain accurate and complete Pandemic Unemployment Assistance (PUA) claimant data.
On March 27, 2020, the President of the United States signed the Coronavirus Aid, Relief, and Economic Security (CARES) Act which provided states the ability to provide unemployment insurance to individuals affected by the pandemic, including those who would not normally be eligible for unemployment. Based on the Department’s records, as of the year ended June 30, 2023, 2,828 claimants received payments totaling $6,171,258.
In order to determine if claimants were eligible for benefits, we requested claimant data. Although the claimant data was provided, the data required considerable manipulation in order to make the data auditable and organized. Therefore, we were unable to determine if the data was complete and accurate. As a result, we were unable to conduct detailed testing to determine whether the claimants were entitled to benefits.
Due to the inability to conduct detailed claimant testing, we were unable to determine whether the Department’s financial statements accurately documented the PUA benefits paid during Fiscal Year 2023. Therefore, we are issuing a modified opinion over the Department’s Fiscal Year 2023 Unemployment Compensation Trust Fund
Statements of Revenues, Expenses, and Changes in Net Position and Cash Flows.
We recommended the Department implement controls to ensure the claimants’ data is complete and accurate.
The Department accepted our recommendation.
INADEQUATE CONTROLS OVER THE IMPLEMENTATION OF NEW STANDARD
The Department of Innovation and Technology (Department) failed to exercise adequate controls to ensure the new standard, GASB Statement No. 96 – Subscription-Based Information Technology Arrangements (SBITA), was properly implemented.
During testing, we requested the Department provide the population of SBITA contracts. The Department provided the list of SBITA contracts with the cut-off date of November 15, 2022, therefore the population provided was not complete.
We used the contract listing from HANA Live as of June 30, 2023, and performed testing to determine whether the Department has properly identified SBITA contracts and accurately calculated and recorded subscription liabilities and subscription assets, including the assets’ amortization.
During testing, we noted the Department’s process in identifying all contracts in the calculation of GASB Statement No. 96 was not adequate. The following issues were noted:
• The Department did not record 13 contracts, totaling $24.386 million, as SBITA.
• The Department erroneously classified and reported as SBITA two contracts. One contract has an unamortized cost of $18 thousand, which is less than $25 thousand. The other contract amounting to $280 thousand was erroneously included in Fund 304’s SBITA listing instead of Fund 141.
• The Department did not accurately report the fixed payments for two contracts. The Department can- not provide documentation to support the initial amounts of fixed payments.
• After the Department was notified by the auditors of the exceptions, the Department re-evaluated the contracts and submitted the Form SCO-560S to the Office of Comptroller to include all SBITA contracts. The issues above resulted in financial statement accounts being incorrect, with the total Net Position being understated by $3.868 million. The Department made the required adjustments.
We recommended the Department exercise adequate controls to ensure proper implementation of the requirements of GASB Statement No. 96.
The Department accepted the finding and recommendation and stated they have already strengthened relevant controls to ensure SBITAs are recorded and reported in accordance with GASB 96.
INADEQUATE CONTROLS OVER REVENUE AND EXPENSE ACCRUALS FOR GRANT SUBAWARDS
The University of Illinois (University) did not maintain appropriate control over accounting for grant subawards.
During our test work over revenues and expenditures, it was noted that payments to subrecipients of grant funds, and the related reimbursements from the federal government, were not recorded in a consistent manner when applicable eligibility requirements were met. Upon discovery of this inconsistency, the University re-analyzed related accounts and determined that accounts receivable and accounts payable were both overstated by approximately $40,000,000, and federal grant revenue and research expenses were overstated by $3,000,000. There was no impact to opening or closing net position. Management elected to record the adjustment for the estimated amount of the error.
We recommended the University continue to review its process for ensuring transactions are recognized in the correct fiscal year.
University officials agreed with the recommendation.
WEAKNESSES IN PREPARATION OF YEAR-END FINANCIAL STATEMENTS
The Eastern Illinois University’s (University) year- end financial reporting in accordance with generally accepted accounting principles (GAAP) contained inaccurate information.
The University did not have adequate controls over the completeness and accuracy of year-end financial reporting which resulted in errors in the GAAP basis financial statements and supporting schedules provided to us during our audit. The University did not perform a sufficient supervisory review of all amounts recorded in its financial statements and footnotes. Also, as a result of audit differences identified by us as well as additional corrections subsequently identified by the University, the University provided us with several revisions to its draft financial statements, with significant modifications, before providing its final draft revision on January 10, 2024.
We noted the following issues while testing the year- end financial reporting process, which were corrected by the University after we brought them to its attention:
Restricted net position for the bond system was understated by $3,308,576 and unrestricted net position was overstated by the same amount due to an adjustment made to the year ended June 30, 2022, financial statements but not carried forward to the current fiscal year.
Tuition discounts for the MAP grant were under- stated by $1,832,800, resulting in the overstatement of revenue and operating expenses by the same amount due to a calculation error.
We also identified several errors in the Management Discussion and Analysis section of the financial report as well as the footnotes to the financial statements. The University corrected each of these accordingly.
We recommended the University strengthen its internal controls to ensure financial statements are prepared in a complete and accurate manner and are subjected to an appropriate supervisory review. We also recommended the University’s procedures address all elements of the University’s financial reporting process.
The University agreed with the recommendations.
INADEQUATE CONTROLS OVER INITIATING AND MONITORING GRANTS
The Illinois Community College Board (Board) did not exercise adequate controls over initiating and monitoring grant agreements.
We tested 60 grant agreements from 24 of the Board’s grant programs active during Fiscal Years 2022 and 2023 and noted the following weaknesses:
• For 53 of 60 (88%) grant agreements tested, the agreements were signed between two and 446 days late.
• For two of 24 (8%) grant programs tested, the reports did not contain the certification required by the grant agreement.
• For 20 of 24 (83%) grant programs tested, the grantees either did not provide required documentation to the Board, required reporting did not meet the timeframes and/or specifications outlined in the grant agreement, or documentation was not retained by the Board to demonstrate the required documentation was received and met all related requirements.
We recommended the Board implement and enforce internal controls to ensure all reporting requirements are adhered to. We further recommended the Board ensure grant application and budget deadlines and agreement start dates allow sufficient time for approval of grant agreements by all parties prior to the effective date.
The Board concurred with the finding and stated the Board is transitioning report and budget monitoring to program compliance staff and will provide additional training. The Board also responded it will ensure future grant agreements are drafted with language authorizing pre-award costs if applicable.
INADEQUATE CONTROLS OVER REPORTING REQUIREMENTS
The Illinois Liquor Control Commission (Commission) did not file statutorily required reports and submissions or did not file them timely.
During testing, we noted the following:
• The Commission submitted the Fiscal Control and Internal Auditing Act (FCIAA) certification for Fiscal Year 2022 to the Office of the Auditor General, 17 days late.
• The Commission did not submit an annual report of its acts and doings to the Governor for Fiscal Year 2021.
• The Commission submitted one report to the General Assembly during the examination period.
However, a copy of such report was not provided to the State Library, nor such report was published on the Commission’s website. In addition, the Commission did not provide and deposit with the State Library copies of all publications issued by the Commission, including electronic publications, for its collection and exchange purposes during Fiscal Years 2022 and 2023.
• Four of 24 (17%) monthly Debt Transparency Act reports submitted by the Commission to the Office of Comptroller during the examination period were one to 25 days late. These reports were for Fiscal Year 2022.
• One of 4 (25%) Travel Headquarter (TA-2) Reports filed by the Commission to the Legislative Audit Commission (LAC) during the examination period was filed 97 days late.
During the prior examination, the Commission did not accurately report information on its Fiscal Year 2020 Agency Workforce Report (Report). During the current examination, we noted the Commission failed to submit the corrected the corrected Report within 30 days after the release of the Commission’s prior audit by the Auditor General.
• The Commission submitted its Fiscal Year 2022 Annual Inventory Certification Report to the Department of Central Management Services (CMS) 35 days late.
• The Commission did not submit its Fiscal Year 2021 Individually Assigned Vehicles (IAV) Report to CMS while the Fiscal Year 2022 IAV Report was submitted 91 days late.
We recommended the Commission strengthen its internal controls over reporting to ensure statutorily required reports are completed accurately and submitted timely as required by State laws.
The Commission agreed with the finding and recommendation and stated that they will improve internal controls to ensure annual reports are submitted in compliance with laws and regulations.
INADEQUATE CONTROLS OVER RECEIPTS AND ACCOUNTS RECEIVABLE
The Illinois Emergency Management Agency and Office of Homeland Security (Agency) did not exercise adequate controls over its receipts and refund processing and accounts receivable reporting.
Receipts and Refunds
During testing of receipts and refunds transactions and procedures, we were unable to complete the following testing as the Agency was unable to provide the necessary supporting documentation:
• Testing over 2 of 10 (20%) refund receipt transactions, totaling $1,206,354.
• Testing over 3 of 3 (100%) returned checks.
• Testing over the fee rates for Radiation Machine Inspection and Registration fees reported on the Fiscal Year 2022 and Fiscal Year 2023 Fee Imposition Reports.
Accounts Receivable
We performed detailed accounts receivable testing on the following funds: the Radiation Protection Fund (067), the Nuclear Safety Emergency Preparedness Fund (796), and the Low-Level Radioactive Waste Facility Development and Operation Fund (942).
During testing of accounts receivable, we noted the following:
• For Fund 067, various balances reported on all quarterly Form C-98s for Fiscal Year 2022 and 2023 did not agree to the Agency’s records. Differences were noted for various aging categories and ranged from net differences of $2,000 to $251,000.
• For Fund 796, various balances reported on 3 of 8 (38%) quarterly Form C-98s for Fiscal Year 2022 and 2023 did not agree to the Agency’s records. Differences were noted for various aging categories and ranged from net differences of $5,000 to $12,000.
• For Fund 942, various balances reported on 5 of 8 (63%) quarterly Form C-98s for Fiscal Year 2022 and 2023 did not agree to the Agency’s records. Differences were noted for various aging categories and ranged from net differences of $2,000 to $38,000.
• Six of the eight (75%) quarterly Form C-99s tested did not agree to the corresponding quarterly Form C-98s. The amount reported for “Total of Past Due Accounts over 180 Days” on the Form C-99 did not agree to the amount reported for “Over 180 Days” on the corresponding C-98. Differences ranged from overstatements of $38,000 to
• $109,000. In addition, the quarterly Form C-99s did not agree to Agency records. Net differences ranged from $5,000 to $543,000.
Lack of Segregation of Duties
During testing, we noted one individual performed three parts of the transaction cycle, including:
• Initiation by generating invoices for amounts due to the Agency,
• Custody by handling physical checks and maintaining electronic and physical records, and
• Recordkeeping by preparing and posting entries.
Enterprise Resource Planning Program Utilization
The State’s implementation of the Enterprise Resource Planning (ERP) program centralized the finance, procurement, grants management, and asset management processes by replacing outdated manual systems and technologies. The ERP can enhance transparency of data, reduce processing time, and improve the timeliness of financial reporting. During the examination period, the ERP’s processing integrity was sufficient to enable reliance upon ERP’s processing of transactions. During our examination, we noted the Agency billed entities for various services; however, the Agency did not fully utilize the Public Sector Collection & Disbursements (PSCD) ERP module. Invoices and bills are generated through the Agency’s legacy Accounts Receivable system, which is an internally developed system based on Microsoft Access. During March 2023, several types of fees were partially migrated to the ERP system. However, invoices and bills and customer data is still entered into the legacy system first. The data is then mapped over to the ERP system electronically. The PSCD maintains transactions related to billings, payments and accounts receivable. During the examination period, the Agency had billings and receipts totaling $10,840,859,988.
Late Deposits
During the entirety of Fiscal Year 2022 through February of Fiscal Year 2023, we noted the Agency did not utilize the PSCD module of the ERP System to process receipts and refunds. As such, we tested receipts and refunds deposited outside of the PSCD module during this period, and noted the following:
• The Agency did not deposit 3 refund items, each exceeding $10,000, on the same day as received.
• The Agency did not deposit 1 receipt item, less than $500 in totality, when accumulated to $500 or on the 1st or 15th of the month, whichever was earlier.
• The Agency did not deposit 2 receipt items, totaling $19,504, within 7 days of receipt, as required per the Agency’s deposit extension approval.
• From March of Fiscal Year 2023 through the end of the fiscal year, the Agency utilized the PSCD module for certain receipts and refunds. We conducted an analysis of the Agency’s receipts data for the period of Fiscal Year 2023 that the Agency utilized the ERP system for receipts and refunds to determine compliance with the State Officers and Employees Money Disposition Act (Act) (30 ILCS 230/2(b)), noting the following noncompliance:
• The Agency did not deposit 11 receipts items, each exceeding $10,000, on the same day as received.
• The Agency did not deposit 61 receipt items, exceeding $500 but less than $10,000 in totality, within 48 hours.
• The Agency did not deposit 736 receipt items, less than $500 in totality, when accumulated to $500 or on the 1st or 15th of the month, whichever was earlier.
• We were unable to determine the timeliness of deposit for 9 receipt items.
We recommended the Agency implement the necessary controls to: facilitate timeliness of deposits; ensure accuracy of accounts receivable reporting; ensure adequate segregation of duties; and ensure ERP is fully implemented and utilized by the Agency.
The Agency agreed with the finding and recommendation and stated it began using the PSCD module during FY23 and this will increase visibility of deposit timeliness and provide adequate support for accounts receivable reports. Further, the Agency stated it is in the process of actively filling positions in the accounts receivable unit as vacancies exist.
VOUCHER PROCESSING INTERNAL CONTROLS NOT OPERATING EFFECTIVELY
The Board of Higher Education’s (Board) internal controls over its voucher processing function were not operating effectively during the examination period.
The Board implemented the Enterprise Resource Planning System (ERP) effective Fiscal Year 2023.
Fiscal Year 2022
Non-Payroll Expenditures:
During our testing of 25 vouchers totaling $324,193, we noted the following:
• Two (8%) of the vouchers tested, totaling $12,080, were not supported with the vendors’ invoices.
• Nine (36%) of the vouchers tested, totaling $110,682, were approved for payment between two to 282 days late.
• Two (8%) vouchers tested, totaling $29,311, were paid late and the Board did not pay interest owed to the vendors, totaling $1,736.
Awards and Grants Expenditures:
During testing of 30 awards and grants vouchers totaling $1,483,042, we noted the following:
• One (3%) of the vouchers tested, totaling $23,959, had no approval from the Board or head designee.
• Four (13%) of the vouchers tested, totaling
• $305,149, were approved for payment between 34 to 111 days late.
Fiscal Year 2023
Due to our ability to rely upon the processing integrity of the Enterprise Resource Planning System (ERP) operated by the Department of Innovation and Technology (DoIT), we were able to limit our voucher testing at the Board to determine whether certain key attributes were properly entered by the Board’s staff into the ERP. In order to determine the operating effectiveness of the Board’s internal controls related to voucher processing and subsequent payment of interest, we selected a sample of key attributes (attributes) to determine if the attributes were properly entered into the State’s Enterprise Resource Planning (ERP) System based on supporting documentation. The attributes tested were (1) vendor information, (2) expenditure amount, (3) object(s) of expenditure, and (4) the later of the receipt date of the proper bill or receipt date of the goods and/or services.
Our testing noted the following attributes were not properly entered into the ERP system. Therefore, the Board’s internal controls over voucher processing were not operating effectively.
• 14 of 140 (10%) general vouchers
• 5 of 120 (4%) awards and grants vouchers
Due to this condition, we qualified our opinion because we determined the Board had not complied, in all material respects, with applicable laws and regulations, including the State uniform accounting system, in its financial and fiscal operations.
Even given the limitations noted above, we conducted an analysis of the Board’s expenditures data for the fiscal year 2023 and noted the following noncompliance:
• The Board owed five vendors interest totaling $1,009 in fiscal year 2023; however, the Board had not approved these vouchers for payment to the vendors.
• The Board did not timely approve 295 of 327 (90%) vouchers processed during the examination period, totaling $10,035,537. We noted these late vouchers were approved between 1 and 324 days late.
We recommended the Board design and maintain internal controls to provide assurance its data entry of key attributes into ERP is complete and accurate. Further, we recommended the Board approve proper bills within 30 days of receipt and approve vouchers for payment of interest due to vendors. Furthermore, we recommended the Board ensure interest due is paid to vendors.
The Board agreed with the finding and stated it has obtained additional training and hired additional staff to ensure vouchers are processed properly in the State ERP system.
INADEQUATE CONTROLS OVER STATE PROPERTY
The Department of Agriculture (Department) did not exercise adequate controls over State property.
The following exceptions were identified from our detailed testing of the Department’s State property records:
• During our list to floor testing of 60 Department property items, we noted the following:
– Four (7%) items totaling $201,320 were not properly tagged.
– Two (3%) items totaling $30,046, were surplused, but were still on Department records. The items not removed from property records were a copier and printer card.
– Two (3%) items, amounting to $8,278, appeared obsolete, but remained on the inventory listing and approval had not been requested to dispose of the items.
– One (2%) item (port module), amounting to $2,510, was not located.
• During our floor to list testing of 60 Department property items, we noted the following:
– Seven (12%) items of undetermined value were not tagged. The items that were not tagged were the following: golf cart, blower, laminator, spectrometer, mower, wood planer, and drill compressor.
– Two (3%) items of undetermined value appeared obsolete and not functional. The items found were a wood planer and power sander.
– Three (5%) items of undetermined value were physically identified, but not included in the Department’s inventory listing. The items that were not added to Department records were a shaker, balance comparator, and washer machine.
During our testing of 60 property additions, we noted the following:
– Thirty-three items (55%), totaling $401,982, were recorded in the Department’s property records more than 90 days after acquisition, ranging from 5 to 821 days late.
During our testing of 60 property deletions, we noted the following:
– For two (3%) items, totaling $34,255, the purchase price on the deletion form did not match Department records, resulting in a total difference of $654.
– Seventeen (28%) items, totaling $122,381, were removed from Department property records more than 90 days after deletion, ranging from 6 to 744 days late.
In addition, we reviewed 215 Office of the State Fire Marshal inspection reports of the Department’s buildings and grounds and noted 109 (51%) inspection/reinspection reports indicated a result of “Fail” in one or more circumstances. Examples of failed inspections included, but were not limited to, violations of electrical systems, fire alarm systems, replacement of combustible items, portable fire extinguishers, and barn safety.
We recommended the Department strengthen its procedures over property and equipment to ensure accurate and timely recordkeeping and accountability for all State assets. We also recommended the Department work with the Office of the Governor and the Illinois General Assembly to obtain the resources necessary to address the safety conditions noted by the Office of the State Fire Marshal on Departmental grounds.
The Department agreed with this finding and recommendation.
FAILURE TO CONDUCT ADEQUATE SITE VISIT MONITORING OF GRANTEES
The Illinois Criminal Justice Information Authority (Authority) failed to conduct adequate site visit monitoring of its grantees in accordance with its Federal and State Grants Unit’s Policies and Procedures (FSGU P&P).
Specifically, we noted the following deficiencies:
• The Authority did not conduct site visits for 25 of the 104 programs (24%).
• Of the 65 programs which had a site visit timely conducted by the Authority, we selected a sample of 10 grants to determine if the Authority performed the site visit as required by its FSGU P&P and noted site visit reports were completed 21 and 47 days late for two grants (20%).
• Authority did not perform site visits for 30 of 60 grants (50%) which required site visits be performed as a special condition or requirement of the grant agreement.
We recommended the Authority conduct and document the site visits performed during a State fiscal year for grant programs administered by the Authority.
Authority management agreed with the recommendation and stated the failure to conduct adequate site visits was largely attributed to grant staff workload. Authority management further stated during State fiscal year 24/25, the Authority plans to increase its headcount by an additional 50 staff members; approximately 20 of the new people will be deployed to federal and State grants unit.
Authority management also stated these new people will lower existing staff workloads and expand their grant monitoring (and monitoring documentation) capabilities.
FAILURE TO ESTABLISH AND MAINTAIN ADEQUATE INTERNAL CONTROL OVER THE SPECIAL STATE TRUST FUND
The Department of Labor (Department) failed to establish and maintain adequate control over its Special State Trust Fund (Fund 251), which holds unpaid wages due to employees. As of June 30, 2023, Fund 251 had $1,593,905 in cash.
Pursuant to the Illinois Wage Payment and Collection Act (WPCA) (820 ILCS 115/11.5(a)), the Department collects, when necessary, an employee’s wages or final compensation due and holds these moneys until the employee (now, claimant) can be located by the Department and properly paid.
Additionally, pursuant to the Minimum Wage Law (MWL) (820 ILCS 105/12(b)), the Department collects, when necessary, unpaid minimum wages and overtime due to employees and holds these moneys until the employee (now, claimant) can be located by the Department and properly paid.
Finally, the Statewide Accounting Management System (SAMS) (Procedure 05.50.01) notes fiduciary funds account for assets held by a governmental unit in a trustee capacity or as an agent for individuals, and SAMS (Exhibit 27.50.10-A) notes Fund 251 is an agency type of fiduciary fund.
During our testing, we noted:
• Eight of 60 (13%) claimant payments tested, totaling $59,164, were approved for payment between 14 to 32 days after the Department determined the monies were owed to the claimant.
• We were unable to reconcile the Department’s ledger of claimants to Fund 251’s cash balance from the Monthly Cash Report (SB05) prepared by the Comptroller. We noted unreconciled differences of $1,487,630 and $1,554,686 at June 30, 2022, and June 30, 2023, respectively.
• At June 30, 2023, the Department was holding claimant balances related to activity in previous Fiscal Years. Each of these balances required a proper disposition by the Department.
We recommended the Department take action to ensure:
• claimant payments are promptly processed and paid, along with the posting of proper accounting entries, when distributed from Fund 251;
• reconciliations of the total amount due to claimants at the end of each month to the SB05 report are performed and any unreconciled discrepancies are investigated and properly resolved;
• amounts due to claimants older than one year under the MWL are promptly transferred to the General Revenue Fund, with the timely posting of proper accounting entries; and,
• amounts due to claimants under the WPCA are properly handled under the relevant provisions of the Revised Uniform Unclaimed Property Act, with the timely posting of proper accounting entries.
The Department accepted the recommendation and stated they have updated several of the statutes they enforce (Illinois Wage Payment and Collection Act and Illinois Minimum Wage Act) as well as its administrative rules to clarify the timeline and process for distributing funds to wage claimants and identifying those funds for which the claimant/ employee cannot be located. They also recently developed an updated internal policy regarding when unclaimed funds should be sent to the Illinois State Treasurer’s Unclaimed Property Fund.
INADEQUATE INTERNAL CONTROLS RELATED TO REVIEW OF FINANCIAL STATEMENTS
The Office of the Treasurer (Office) had inadequate internal controls over the Office’s Illinois Funds Program financial statement preparation and review process.
During preparation of the financial statements, the Office incorrectly accounted for cancelled, un-executed purchases and redemptions. The cancelled purchases should have been netted with purchase transactions. The error led to the overstatement of both subscriptions and redemptions on the Statements of Changes in Fiduciary Net Position by $170,421,701.
The Office corrected the error noted above within the year-end financial statements.
We recommended the Office improve controls over the financial reporting process of the Illinois Funds Program by verifying that cancelled, un-executed purchases are not recorded at gross amounts within the financial statements.
The Office accepted the recommendation and stated it will implement additional controls over the reporting and review process of the Illinois Funds financial statements.
LACK OF CONTROL OVER CONTRACTS
The Illinois Department of Public Health (Department) did not have adequate controls over contracts to ensure the contracts contained the necessary provisions, were properly approved, and accurately reported.
As part of our testing, we requested the Department to provide a population of contractual agreements, emergency purchases, and interagency agreements. In response to our request, the Department provided populations for emergency purchases and interagency agreements but was not able to provide a listing of all the contractual agreements which the Department had entered into during the examination period. Additionally, the emergency purchases listing provided by the Department did not agree with the emergency purchases reported to the Office of the Auditor General and there were interagency agreements not reported in the Agency Contract Report (SC-14). Due to these conditions, we were unable to conclude the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36).
During testing, we noted the following:
• Six of 14 (43%) interagency agreements tested, totaling $5,706,197, were executed subsequent to the performance of services. The agreement execution dates ranged from seven to 385 days late. Additionally, the Department was not able to provide the executed agreements for two of 14 (14%) interagency agreements tested. Therefore, we are unable to test those agreements.
• For two of eight (25%) emergency purchase contracts tested, totaling $608,380, the Department published the total actual cost of each emergency purchase in the Illinois Procurement Bulletin 40 and 390 days late. In addition, one of eight (13%) emergency purchase contracts tested, totaling $360,101, ended on June 30, 2022 but the Department had not published the actual cost as of auditors’ fieldwork.
• The Department was not able to provide the supporting documentation that they submitted to the Procurement Policy Board and the Commission on Equity and Inclusion for the following:
• Notice of award for seven of eight (88%) emergency purchase contracts testing, totaling $10,765,277, and
• Notice of intent to extend an emergency contract for five of eight (63%) emergency purchase contracts tested, totaling $10,351,570.
• Three of 60 (5%) contractual agreements tested, totaling $5,541,576, were filed with the Comptroller more than 30 days after their execution and were not accompanied by a Late Filing Affidavit.
• Five of 60 (8%) contractual agreements tested, totaling $1,153,964, did not have the required subcontractor disclosure and utilization statements. In addition, one of 60 (2%) contractual agreements tested, totaling $471,550, did not have the Conflict of Interest Certification, and one (2%) contract, totaling $43,864, did not have the Certification of Registration with the State Board of Elections.
• For 26 of 60 (43%) contracts tested, the Contract Obligation Documents (CODs) were not properly completed. We noted the following:
• Twenty CODs totaling $12,284,856, included incorrect Illinois Procurement Bulletin/Bidbuy publication dates. Three of these CODs had an incorrect procurement reference number, one COD had an incorrect award code, and one COD had an incorrect appropriation code.
• Two CODs totaling $1,555,550, had contract beginning and ending dates different from the dates reported in the SC-14 Report.
• Four CODs did not state the correct annual contract amounts. The total annual amounts entered in the COD was $2,422,573, however, the total annual amounts reported in the SC-14 Report was $7,890,634. One of these CODs also incorrectly entered an obligation amount totaling $1,751,603, instead of the obligation amount totaling $6,314,022 in the SC-14 Report. Additionally, two of these CODs also did not state the correct maximum contract amounts. The maximum contract amounts entered in the CODs totaled $4,025,265, however, the total maximum contract amounts reported in the SC-14 Report was $9,525,184.
• One COD totaling $72,649 had an incorrect obligation number.
• One COD stated that subcontractors will not be utilized, however, the executed contract indicated utilization of subcontractors.
The Department’s process in implementing GASB Statement No. 87 – Leases (GASB 87), was not adequate. The following issues were noted:
• For two of five (40%) GASB 87 lease contracts tested, totaling $1,251,212, the forms SCO-560 were filed with the Office of Comptroller 77 and 347 days late.
• For three of five (60%) GASB 87 leases contracts tested, totaling $2,851,771, the forms SCO-560 were not filed with the Office of Comptroller, therefore, the Department did not record the corresponding right of use asset, lease liability, and lease payments.
The Department did not record the right of use asset, lease liability, and lease payments for one of two (50%) forms SCO-560 the Department submitted to the Comptroller’s Office, resulting in the understatement of the following accounts:
• Right of Use Asset amounting to $1,168,683;
• Lease Liability amounting to $1,168,683;
• Lease Payments amounting to $774,306.
We recommended the Department strengthen and monitor controls to ensure:
• all required contract information is complete and accurate,
• accurate and complete listings of contractual agreements, emergency purchases, and interagency agreements are maintained,
• proper implementation of the requirements of GASB Statement No. 87, and
• compliance with the requirements of the Procurement Code and State laws.
The Department agreed with the finding and recommendation and stated the process of contract monitoring is being evaluated and will be strengthened to the standards recommended by the Auditors.
AUDIT ADJUSTMENT
The Department of Transportation (Department) did not have adequate controls for calculating its net investment in capital assets and unrestricted net position.
The Department’s underlying calculations used to determine the net position at the end of the fiscal year inappropriately allocated amounts to net investment in capital assets as opposed to unrestricted net position, resulting in a necessary adjustment.
The effect of this misstatement in the Department’s government-wide financial statement was an overstatement of net investment of capital assets and an understatement of unrestricted net position of $560,626,000 as of June 30, 2023. The Department posted an audit adjustment to correct this classification error in its financial statements as of and for the year ended June 30, 2023. Total net position was not impacted.
We recommended the Department review the calculations used to determine net position classifications so that all components of net position are properly recorded for presentation in the Department’s financial statements.
The Department agreed with the finding and stated the error in the calculation of net position has been fixed. The Department also stated it will continue to enhance review processes to avoid such errors in the future. Finally, the Department stated it will also continue to research accounting standards that may impact future calculations of net position.
INADEQUATE CONTROLS OVER FINANCIAL STATEMENT CLOSE PROCESS
The Illinois Power Agency (Agency) did not review for proper revenue cutoff for the year ending June 30, 2023.
The Agency did not review subsequent billings past July 31, 2023 to evaluate any unrecorded revenue and accounts receivable earned that needed to be reflected as of June 30, 2023. General ledger account balance related to receivables and revenue were not appropriately stated on the trial balance. As a result, an adjustment was required for $2,970,489 to increase accounts receivable and revenue.
We recommended the Agency review all billings during the current fiscal year, as well as subsequent to year end, to verify appropriate revenue and accounts receivable cutoff.
Agency agreed with the finding.
LACK OF CONTROLS OVER YEAR-END REVIEWS AND RECONCILIATIONS
Northeastern Illinois University (University) did not timely complete and did not have adequate review of its year-end reconciliations.
During testing we noted the following:
• We noted a Fiscal Year payment for 4 invoices totaling $310,443 which should have been accrued for in Fiscal Year 2023, an invoice totaling $100,950 which should have been accrued for in Fiscal Year 2023, and a vendor with 3 invoices totaling $15,000 which should have been accrued for in Fiscal Year 2024 but were accrued for in Fiscal Year 2023.
• When University went live on April 16, 2023 with their new Payroll and Human Resources system there were conversion issues with how the activity was calculated and recorded in the University’s general ledger. Several corrections had to be made to both employee pay and amounts posted into the University’s general ledger. Due to the inability to get accurate data from the new system, the University recorded estimates for deferred faculty pay and accrued sick and vacation as of June 30, 2023, based on historical trend information and recorded an additional liability of $483,130. The University also recorded an entry in late October for retroactive pay of $1,245,337 that was paid in July 2023 for Fiscal Year 2023.
• The University did not reconcile federal and state grant receivables and revenue until October 2023. The University recorded a receivable of $1,502,692, federal grant revenues of $2,029,994, and a net reduction of state grant and other grant revenues by $527,757.
• The University did not complete a final analysis and recording of subscription-based information technology arrangements (SBITAs) until November 2023. The amounts recorded increased assets by $3,326,049, liabilities (current and noncurrent) by $3,009,333, as well as impacted several expense accounts including rent expense and amortization.
We recommended the University strengthen its internal controls by performing timely and accurate reconciliations throughout the year, as well as, at year end. In addition, we recommended the University closely monitor allocation of resources based on priorities to ensure there are sustained internal controls on a consistent basis.
University officials agreed with the finding.
INADEQUATE INTERNAL CONTROLS OVER CENSUS DATA
The Environmental Protection Agency (Agency) did not take sufficient measures to ensure all census data submitted to its pension and other post- employment benefits (OPEB) plans was complete and accurate for the Water Revolving Fund (Fund).
The Agency did not maintain sufficient documentation that a complete reconciliation was properly performed for census data used to calculate pension and other post-employment benefit balances.
Although the Agency performed a reconciliation of its census data, they did not take or document sufficient measures to ensure 100% of data in the base year was checked for completeness and accuracy.
We recommended the Agency ensure reconciliation of its active members’ census data from its underlying records and source documents to a report of the census data submitted to each plan’s actuary is properly completed and accurate. We further recommended the Agency evaluate the census data to identify any instances where data discrepancies exist and work with SERS to correct all such errors in the full base year reconciliation of Agency and SERS records. We also recommended the Agency maintain sufficient documentation of the reconciliation performed, including the methodology used, data traced, exceptions identified, and conclusions reached.
Agency officials agreed and stated the census reconciliation of employee data was performed screen by screen along with personnel (paper) file documents. Officials also stated the State Records Act requirements are encompassed in the employees’ system record and HR file, which have been retained in accordance with the Records Act.
In an Auditor’s Comment, we noted the Agency took no new measures during Fiscal Year 2023 to address this prior finding. Although the Agency did maintain employee records in their system and personnel files, they did not maintain or provide documentation sufficient to substantiate that 100% of the base year census data was reconciled and traced to source documents to ensure accuracy and completeness.
FAILURE TO CHARGE AND COLLECT ACCURATE GROUP INSURANCE REIMBURSEMENTS
The Department of Central Management Services (Department) charged all State agencies and State Universities (employers) with employees enrolled in the Consumer Driven Health Plan (CDHP) incorrect group insurance reimbursement rates, which resulted in various misstatements in the Schedule of Employer Allocations by Fund, Schedule of University Special Funding Situations, Schedule of Other Post Employment Benefit Amounts by Fund and Schedule of Deferred Amounts by Measurement Year (Schedules) during Fiscal Year 2023.
During OPEB allocation (employer’s proportionate share of the collective total OPEB liability) testing it was noted that all individuals enrolled in the CDHP were charged the incorrect employer group insurance reimbursement rates. The reimbursement rates charged for the CDHP matched the rates for the Quality Care Health Plan. This resulted in a monthly overcharge ranging from $266.18 to $770.90 (based on number of dependents and if Medicare eligible) per employee. During Fiscal Year 2023, 1,968 employees were enrolled in CDHP.
The Department indicated they became aware of the issue in February 2023, but continued to charge incorrect group insurance reimbursement rates for the remainder of Fiscal Year 2023. At the end of Fiscal Year 2023, the use of incorrect group insurance reimbursement rates resulted in an overcharge of $8,128,944 based on the Department’s internal analysis. Department management indicated it made credits for the overcharge available to agencies in the third party benefits solution application, but failed to communicate the situation to the agencies or provide instructions on how to obtain and apply the credits.
Through analysis of the $8,128,944 overcharge, we determined the population of employees impacted included those paid from exempt funds. Employers do not make group insurance reimbursement payments out of exempt funds. Credits that should have been issued by the Department for the overcharge totaled $4,515,233.
We recommended the Department implement a process to ensure group insurance reimbursement charges agree to published rates. Additionally, we recommended the Department implement a mechanism to track credits, which takes in account the funds the employees are paid from and work with the employers to ensure that the credits owed are utilized by the employers.
The Department accepted the finding and recommendation and indicated they have put testing measures in place to ensure all rate updates sent are tested to verify they are loading to the benefit deduction files correctly going forward.
LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS FOR SERVICE PROVIDERS
Southern Illinois University (University) lacked adequate controls over the review of internal control of its service providers.
The University utilized over 100 service providers for various services.
The University did not have adequate controls to ensure all third-party service organizations were identified by university departments in order to perform annual reviews of the need for Service Organization Control (SOC) reports.
We further noted the risk assessment questionnaire for onboarding vendors and service providers did not consistently document the sensitive data and related processing performed by the service providers, or document alternate means of addressing service providers’ risks beyond review of SOC reports. Also, University personnel lacked sufficient guidance for completing their assessments. Due to these conditions, we were unable to conclude the University’s records of third-party service providers were complete, accurate, and reliable.
We selected a sample of service providers from the listings provided and noted instances where:
• Contracts and/or SOC reports for service providers were not obtained.
• Contracts did not require submission of a SOC report.
• Campuses had not completed a SOC Report Review Checklist or documented mapping of internal controls at the University to key complementary user entity controls (CUECs) noted in SOC reports tested.
We recommended the University strengthen its process and controls to identify and document all service providers utilized and determine and document if a review of controls is required. Where appropriate, we recommended the University:
• Obtain SOC reports (or perform independent reviews) and document the assessment of internal controls associated with outsourced systems at least annually.
• Monitor and adequately document the operation of the CUECs related to the University’s operations.
• Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included.
The University stated they agree and implementation continues. The University also stated continued efforts will be made to further refine their process for identifying and managing service providers.
The University also stated progress has been and is being made and noted that processes in place with respect to the service providers material to their financial statements have been refined and are functioning as designed.
WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES
Illinois State University (University) had not implemented adequate internal controls related to cybersecurity programs and practices and control of confidential information.
The University utilizes various applications which contain a significant amount of critical and confidential data, such as names, addresses, Social Security numbers, banking information, etc.
The Illinois State Auditing Act (30 ILCS 5/3-2.4) requires the Auditor General
to review State
agencies and their cybersecurity programs and practices. During our examination
of the University’s cybersecurity program, practices, and control of
confidential information, we noted the University had not:
• Developed policies regarding configuration management, system development,
training, on-boarding, and backup verification and offsite storage.
• Formally reviewed the Policy on Appropriate Use of Information Technology
Resources and Systems (Appropriate Use Policy) since 2011.
• Conducted security awareness training.
• Conducted a comprehensive risk assessment or implemented risk reducing
controls within the examination period.
• Reviewed their Data Classification Policy since 2015.
• Classified their data in accordance with the data classification methodology.
• Documented the security solutions utilized to monitor the security of their
assets.
• Developed a comprehensive cybersecurity plan.
It was also noted the University could not provide a population of vulnerabilities identified during the examination period.
Further, this finding was first noted during the University’s Fiscal Year 2019
State compliance examination. As such, University management has been
unsuccessful in implementing a corrective action plan to remedy these
deficiencies.
We recommended the University:
• Develop policies regarding configuration management, system development,
training, onboarding, and backup verification and offsite storage.
• Conduct security awareness training.
• Conduct a comprehensive risk assessment
and implement risk reducing controls.
• Review the Appropriate Use Policy and the Data Classification Policy at least
annually.
• Classify their data in accordance with the data classification methodology.
• Document the security solutions utilized to monitor the security of their
assets.
• Develop a comprehensive cybersecurity plan.
• Strengthen controls to identify the population of vulnerabilities.
University officials accepted the finding
FEDERAL AUDITING
STATEWIDE SINGLE AUDIT UPDATE
The purpose of the Statewide Single Audit is to fulfill the State mandate in accepting federal funding. It includes all State agencies that are part of the primary government and expend federal awards. In total, 52 Illinois State agencies expended federal awards.
In our most recently completed Statewide Single Audit, we noted a total of 52
Illinois State agencies expended federal financial assistance in FY2022, and
the Schedule of Expenditures of Federal Awards for the year ended June 30, 2022
reflected total expenditures of $38.369 billion.
The Statewide Single Audit for FY2023 is not yet complete due to a number of
factors, but we expect to release that report publicly as soon as practical
following the completion of the audit.
THE PERFORMANCE AUDIT PROGRAM
Performance audits are conducted at the request of legislators to assist them in their oversight function. Based on the scope specified in the resolution or the law requesting the audit, State agencies’ programs, functions, and activities are reviewed. The audits determine if the services are provided as intended by the General Assembly and directly impact and improve agency operations.
The General Assembly uses performance audit information to develop legislation, to deal with budgetary issues, and to direct agencies to improve programs. Some audits produce immediate changes. In other instances, significant changes may not be seen for several years. The length of time it takes to see changes is due to the process of transforming the audit findings and recommendations into legislative bills and converting bills into law; additionally, once a law is implemented, the effects may not be apparent for some time.
The National State Auditors Association (NSAA) established the Excellence in Accountability Awards Program in 2003 to recognize outstanding performance audits and special projects.
Performance audits performed by the Office of the Auditor General (OAG) have received six NSAA awards in past years:
|
2021 |
Department of Children and Family
Services Investigations of Abuse and Neglect |
|
2015 |
Neighborhood Recovery Initiative |
|
2013 |
Department of State Police’s
Administration of |
|
2008 |
Mass Transit Agencies of Northeastern
Illinois: |
|
2005 |
Rend Lake Conservancy District |
|
2004 |
Illinois State Toll Highway Authority |
Another national organization, the
National Legislative Program Evaluation Society (NLPES), also has an Impact
Award which is given annually to audits that demonstrate significant dollar
savings, program improvements, or impact from The
OAG has received 23 NLPES Certificate of Impact awards since the program’s inception, including the
following audits over the last 10 years:
|
2024 |
Department of Children and Family
Services Child Safety and Well-Being |
|
2023 |
Firearm Owner’s Identification Card and
Concealed Carry License Program |
|
2022 |
Department of Children and Family
Services |
|
2021 |
Department of Children and Family
Services |
|
2020 |
Legionnaires’ Disease at the Quincy |
|
2019 |
Medicaid Managed Care Organizations |
|
2017 |
College of DuPage |
|
2015 |
Neighborhood Recovery Initiative |
PERFORMANCE AUDITS COMPLETED IN 2024
The Auditor General released five performance audits and three reviews in 2024. The performance audits released are listed below. Performance audits released in 2024 included 44 recommendations for improvement.
IDOT’S DISADVANTAGED BUSINESS ENTERPRISE (DBE) CERTIFICATION PROGRAM
On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 160, which directed the Office of the Auditor General to conduct a performance audit of the Illinois Department of Transportation’s (IDOT) certification of businesses as Disadvantaged Business Enterprises through the Illinois Unified Certification Program. The Disadvantaged Business Enterprise (DBE) program is a federally mandated program intended to provide nondiscriminatory contracting opportunities for small businesses owned and controlled by socially and economically disadvantaged individuals.
The audit found:
• For federal fiscal years 2019 through 2023 (contract awards for 2023 are to March 31, 2023), nearly $5.7 billion was awarded to all contractors for Federal Highway Administration (FHWA) projects. During that period, nearly $846 million, or 14.9 percent was awarded to DBE contractors.
• Auditors found certification files maintained by IDOT to be well organized and to contain a large amount of documentation. Auditors reviewed 25 randomly selected files from firms certified between January 1, 2023, and June 30, 2023. These files were requested for review to ensure verification procedures regarding socially and economically disadvantaged status, business size, ownership, and control were adequate. Initial certification applications for all approved DBE certified firms were kept on file, and auditors found all required documentation in each of the files reviewed.
• Auditors also reviewed 25 randomly selected files from firms certified between July 1, 2020, and June 30, 2023, in order to identify those with No Change Affidavits. These files were requested annually to determine whether the firms continued to be qualified for participation. All No Change Affidavits requested by auditors were made available for testing through IDOT, and all files were properly organized and labeled. Auditors found all files selected for review contained the required documentation.
• The United States Department of Transportation (USDOT) noted that other than for some timeliness issues due to a lack of staffing, IDOT was in compliance with all aspects of the DBE certification process. It was also noted that there have been no issues identified during site visits at IDOT or with the No Change Affidavit process.
• According to documentation provided by IDOT, it has not met its aspirational DBE goals. According to the FHWA, IDOT has never met its DBE goals. Per 49 CFR Part 26.47, IDOT cannot be penalized or treated as being in noncompliance because its DBE participation falls short of its overall goal, unless it has failed to administer its program in good faith. For Federal Fiscal Year 2022, IDOT’s DBE goal was 20.27 percent, and IDOT reported 15.83 percent, which was 4.44 percent below the goal. Although IDOT has not met its goal, there have been no penalties according to an FHWA official.
• New certification employees are required to complete USDOT mandated training within 30 days of being hired and biennially (once every two years) thereafter. Auditors found that all certification employees had the required training. Additionally, the FHWA noted that IDOT was in compliance with all training requirements.
The audit report contained one recommendation directed to the Illinois Department of Transportation. The Department agreed with the recommendation.
STATE’S BOARDS AND COMMISSIONS
On April 4, 2022, the House of Representatives adopted House Resolution Number 677. This resolution required that the Auditor General conduct a management audit of the State’s boards and commissions. The resolution contained five determinations. The Governor’s Office of Executive Appointments maintains a website, which contains a list of the boards and commissions to which the Governor appoints one or more members. As referenced by the resolution, auditors used the “information compiled by the Governor’s Office of Executive Appointments” as the authoritative list of boards and commissions for the audit. The report consists of two volumes. Volume I of the report summarizes information compiled from our surveys of boards and commissions and contains four recommendations to address issues identified by our analysis of that information. Volume II of this report contains detailed information compiled for each board or commission.
The audit found:
• A total of 339 boards and commissions were identified, and we compiled information from those boards and commissions as part of this audit. Initially, a total of 366 boards and commissions were surveyed; however, 27 were eliminated from analysis for reasons such as being a duplicate board or not having any governor appointments.
• The website maintained by the Governor’s Office of Executive Appointments for the boards and commissions was not accurate and contained outdated information. Based on our review, five boards and commissions were not listed on the website that should have been listed, and 12 boards and commissions were included on the website that should not have been included.
• During the audit period of Fiscal Years 2021 and 2022, there were 101 boards and commissions that were identified as being inactive. There were seven primary reasons the boards and commissions were inactive with the most common reason being boards or commissions that did not have enough members to conduct business. If inactive boards and commissions no longer serve a purpose, they should be abolished.
• Specifically regarding the 339 boards and commissions:
— 217 (64%) had one or more board member vacancies, and 196 (58%) reported having at least one gubernatorial appointment vacancy as of June 30, 2022.
— As of June 30, 2022, there were 1,313 total vacancies, and of those vacancies, 839 were to be appointed by the Governor.
— 91 (27%) reported having at least one member serving on an expired term as of June 30, 2022.
— 206 (61%) respondents reported having some type of compensation. During Fiscal Years 2021 and 2022, the boards and commissions reported approximately $3.35 million in total compensation expenditures. This included approximately $1.60 million in Fiscal Year 2021 and approximately $1.75 million in Fiscal Year 2022.
— 202 (60%) boards and commissions reported having a meeting requirement. For these 202, 57 (28%) did not hold the required number of meetings.
— 229 (68%) boards and commissions reported having a required work product. To test if the work products were completed as required and in a timely manner, the work products were reviewed for a sample of 55 boards and commissions. Auditors found that 11 of 55 (20%) sampled boards and commissions did not complete all of their required work products. Additionally, 14 of 55 (25%) did not complete all of the required work products in a timely manner.
The audit report contained four recommendations directed to the Governor’s Office of Executive Appointments. The Governor’s Office agreed with the recommendations.
DHS OVERSIGHT AND MONITORING OF THE CILA PROGRAM
Legislative Audit Commission Resolution Number 164, adopted March 14, 2023, directed the Auditor General to conduct a performance audit of the Department of Human Services’ (DHS) oversight and monitoring of the Community Integrated Living Arrangement (CILA) program. CILAs are living arrangements certified by a community mental health or developmental services agency where eight or fewer recipients with mental illness or recipients with a developmental disability reside under the supervision of the agency. DHS, through its Bureau of Accreditation, Licensing, and Certification (BALC), is responsible for the licensing of CILA providers. Other DHS areas join BALC in monitoring and oversight of the CILA program. There were 235 CILA providers specializing in care for individuals with developmental disabilities in operation as of July 13, 2023. For the period FY21-FY23, the State expended more than $2.2 billion on CILAs.
The audit found:
CILA Licensing Process
• In accordance with the CILA rule, DHS conducts licensing surveys of CILA programs. During the COVID-19 pandemic, DHS implemented a temporary self-assessment process for licensing. However, DHS failed to ensure that all CILA providers followed protocols relative to self- assessments. Thirty-six percent of our sample population had no self-assessment during the period beginning July 2020 through May 2021, a period determined by DHS. The average number of days between BALC surveys for those CILA providers without self-assessments was 889 days. Additionally, BALC officials also failed to conduct all of its monitoring activities during the self-assessment period by not completing all required interviews of residents, guardians, and CILA staff.
• DHS failed to conduct BALC licensing surveys in a thorough, accurate, and timely manner. We found instances of BALC not following established criteria in the review of CILA providers for determining whether a license should be renewed.
• DHS serves a Notice of Violation (NOV) when deficiencies are noted during a survey. We noted several issues with the use of NOV forms:
— DHS failed to report violations identified in self-assessments and BALC reviews on a NOV form. In the case of one self-assessment, DHS did not issue an NOV despite a provider self- reporting nine violations. Sixteen out of forty-seven NOVs in our sample had violations noted during full and focus surveys that were not included on the NOV.
— Additionally, violations reported on NOVs were not entered into the DHS’s NOV database. Seven out of sixteen self-assessments received an NOV with violations and had some or all violations missing from the NOV database. Additionally, 14 of 47 BALC surveys had some or all violations from the NOV not entered into the NOV database.
• CILA providers are required to report suspected instances of abuse or neglect against individuals to the DHS Office of the Inspector General (OIG). However, DHS failed to ensure that BALC surveyors reviewed whether the timeliness of CILA providers reporting of OIG incidents complied with reporting requirements. We found 34 instances, at five providers, where evidence showed noncompliant reporting yet the scoring did not parallel the late reporting.
• DHS allowed a CILA provider to remain serving residents on a continued license even though its original license had been expired for nearly 900 days. While DHS had no documentation in its file for the provider and the providers dispute with the Office of the State Fire Marshal, DHS issued three continuations for the CILA license.
DHS Monitoring of the CILA Program
• A DHS CILA monitoring unit has operated for five fiscal years under a draft policy and procedure manual. Additionally, a DHS licensing unit had a policy and procedure manual that had conflicting requirements related to survey requirements.
• DHS failed to enforce admissions restrictions on CILA providers that were on probation based on unacceptable licensing survey scores. The failure led to five individuals from our sample being admitted to providers that failed to achieve minimally acceptable scores from BALC officials.
• DHS failed to assign division monitors to oversee corrective actions by CILA providers with the worst licensing survey scores. This failure is a violation of administrative rule.
• DHS failed to sanction a CILA provider that repeatedly refused to cooperate with OIG investigations of allegations against the provider. Our examination of OIG investigative reports found 22 instances where the provider violated State law or rule by not cooperating with OIG investigations. DHS could not provide any documentation to show it took any actions against the provider for a failure to cooperate.
• DHS failed to consistently apply CILA rules to all providers that failed to correct noted deficiencies. While some providers had CILA licenses revoked, others were allowed to continue in the program despite not correcting deficiencies. Additionally, for providers allowed to remain in the program, DHS did not have documentation to support plans of correction for the uncorrected deficiencies.
Emergency Call Notifications
• Public Act 101-0075 required facilities licensed under the CILA Act to notify DHS when emergency calls are made from the facility. The Public Act also required DHS to adopt rules to implement the new requirement. However, DHS failed to follow State statute and develop administrative rules for emergency notifications made from CILA locations. While DHS did revise the CILA Rule 1,246 days after the effective date of the emergency notification requirement, that revision failed to contain a definition of “emergency call” or any penalties for non-compliance.
• DHS developed the Critical Incident Reporting Analysis System (CIRAS) to capture electronic reports from providers and Independent Service Coordinators (ISCs) for critical incidents involving individuals with developmental disabilities. However, DHS failed to hold CILA providers that were not compliant with CIRAS reporting requirements accountable. Over the period
• FY20-FY23, 41 percent of CIRAS incident reports were not made within the required two working day requirement. Failure to enforce the reporting requirements resulted in one CILA provider taking 563 days, on average, to report FY20 incidents.
• DHS failed to enforce its own procedures relative to CILA providers maintaining the requisite number of reporters for the CIRAS system.
• All CIRAS submissions require either a next day follow up or a 10-day follow up. However, DHS failed to take steps necessary to ensure ISCs conducted follow up activities as required by Department procedure. This resulted in 76 percent of the next day follow up to cases either not being conducted or not conducted timely. Additionally, 10,617 cases that required 10-day follow up were not conducted by the ISC. For the 10-day follow up, 28 percent of the cases were not initially followed up timely. Finally, DHS could not provide sufficient documentation to support its own compliance with the procedures for following up with ISCs.
• DHS has implemented a process for reporting critical incidents that results in under-reporting. DHS requirements for abuse, neglect, and exploitation require reporters to send those allegations to OIG. However, when OIG is unable to substantiate the allegations, the information is not included in the reporting of critical incidents in the CIRAS database. CILA providers and ISCs have reporting understandings that differ from the DHS reporting criteria.
The audit report contained 15 recommendations directed to DHS. DHS accepted the recommendations.
DHS OFFICE OF THE INSPECTOR GENERAL
The Department of Human Services Act (Act) directs the Auditor General to conduct a program audit of the Department of Human Services, Office of the Inspector General on an as-needed basis. Section 1-17(w) of the Act that establishes the authority for this audit can be seen in Appendix A. The Act specifically requires the audit to include the Inspector General’s compliance with the Act and effectiveness in investigating reports of allegations occurring in any State-operated facility or community agency (20 ILCS 1305/1-17(w)). The Office of the Auditor General has previously conducted 13 program audits of DHS OIG. The first audit was released in 1990 and the most recent in 2021, which covered FY18 through FY20. This audit covers FY21 through FY23.
The Department of Human Services Act requires the Office of the Inspector General (OIG) to investigate allegations of abuse and neglect that occur in mental health and developmental disability facilities operated by the Department of Human Services (DHS). The Act also requires the OIG to investigate allegations of abuse and neglect that occur in community agencies licensed, certified, or funded by DHS to provide mental health and developmental disability services.
The audit found:
• During FY23, there were a total 394 community agencies with 4,217 program sites that were under the investigative jurisdiction of the OIG. In addition, there were also 13 State-operated facilities under the investigative jurisdiction of the OIG. OIG investigators in many cases are responsible for hundreds of program sites covering large areas of the State, as well as State-operated facilities.
• The total number of allegations in FY21 (2,423) was the lowest number of allegations received since FY11 (2,255). However, the total number of allegations increased to 2,772 in FY22 and 3,281 in FY23. For FY11 through FY23, community agency allegations accounted for 59 to 73 percent of all reported allegations of abuse or neglect. For FY21, FY22, and FY23, community agency allegations accounted for 61 percent, 62 percent, and 59 percent of all reported allegations of abuse or neglect, respectively.
• Cases took an average of 205 calendar days to complete during FY23, or an increase of 25 days, when compared to the FY20 audit.
• For FY23, 22 percent of cases were completed within 60 calendar days, which represents an 8 percent decrease in timeliness from the prior audit and a 14 percent decrease when compared to FY21 (36%) and FY22 (36%).
• The timeliness of case file reviews has worsened since the FY20 audit. During FY20, it took the OIG on average 41 days to complete a supervisory review of substantiated cases. During this audit period, the average number of calendar days to review substantiated cases for FY21 was 71 days, for FY22 was 66 days, and for FY23 was 86 days.
• The Department of Human Services Act and the OIG’s administrative rules require that allegations be reported to the OIG Hotline within four hours of initial discovery of the incident of alleged abuse or neglect. For FY21 through FY23, the percentage of allegations not reported within the statutorily required four hours for community agencies was between 15 and 16 percent. For State-operated facilities during the same time period, the number of allegations not reported within the four-hour time frame was between 7 and 10 percent.
• For FY21 through FY23, auditors found that 20 of the 42 (48%) unannounced site visit reports were sent outside of 60 days. No supporting documentation could be provided to show that an OIG employee was on site for the second unannounced site visit date at each State-operated facility for FY22 and FY23.
• During the audit period, FY21 through FY23, the OIG requested to hire for 38 positions. Of these 38 hiring requests, 17 positions had been filled as of August 17, 2023, and 21 were still vacant. Once the position was posted, two positions were filled within three months, ten positions took between 4 and 6 months to fill, and five positions took between 7 and 12 months to fill after the hiring request was made.
• For FY23, DHS reported that 5,024 of 7,206 (70%) State-operated facility employees had overtime. The 5,024 employees accumulated 1,606,962 hours of overtime during FY23; 793 of these employees accumulated between 501 and 997 hours of overtime, and 330 employees accumulated over 1,000 hours of overtime during FY23 (318 of these 330 were employees with a direct care job title). These 318 employees accumulated a total of 443,527 hours of overtime during FY23. Multiple academic studies have found that excessive amounts of overtime can have a detrimental effect on the care provided to residents or patients, as well as the health care workers providing the care.
This audit report contained 12 recommendations. Eight were directed to the Office of the Inspector General, two were directed to the Department of Human Services, and two were directed at both OIG and DHS. The OIG and DHS agreed with the recommendations.
DHS OVERSIGHT OF THE INDEPENDENT SERVICE COORDINATION PROGRAM
House Resolution Number 66 directed the Office of the Auditor General to conduct a performance audit of the oversight of the Independent Service Coordination (ISC) program by the Department of Human Services’ Division of Developmental Disabilities (DDD). ISC agencies are contracted with DDD to provide case management/service coordination to individuals with developmental disabilities.
It is the primary responsibility of the Grant Management Unit within DDD to provide monitoring and oversight to the ISC agencies based on all activities in the grant agreements.
During the audit period FY21-FY23, there were eight ISC agencies providing case management services to an average of nearly 25,000 individuals with developmental disabilities. These eight
ISC agencies expended more than $133 million on ISC services.
The audit found:
Funding for the ISC Program
The majority of funding provided to ISC agencies is for case management services supported by the Waiver program. These services are billed on a fee-for-service basis and are based on a DHS calculation. The billings are limited to the maximum budget total for each grant. During the audit period, DHS had not analyzed the formula that sets the rate which ISC agencies are reimbursed for case management services. DHS has excluded ISC agency services from any external reviews and has not addressed the recommendations from the reviews involving aspects of the ISC program.
• DHS rejected more than $1.7 million in case management bills submitted by the ISC agencies during the audit period. While some of those rejections could have been for legitimate reasons, our analysis found that more than 40 percent of the total rejected bills were for an unknown error. DHS could not explain the reasons for the unknown errors. Further, DDD, the Division charged with oversight of the ISC agencies, does not regularly review the rejected billing data and does not have complete access to all rejected billings.
Examination of ISC Caseloads
DHS does not have a set required minimum or maximum ISC case manager ratio (number of individuals served by a case manager) and does not track this ratio information. The Community Services Act requires DHS to include case coordination services as part of its community services system and also establishes that one factor of the funding methodologies be staffing ratios.
DHS could not provide the addresses for the entire population of individuals served by ISC agencies. As a result, we reviewed ISC agency coverage on a sample basis. During testing, we found that DHS did not adhere to the ISC Manual and utilized an unwritten policy to allow an individual to choose an ISC agency outside of the individual’s assigned region. DHS could not provide any additional documentation to support its decision.
ISC Agency Documentation and Reporting Allegations
ISC agencies are statutorily required to be mandated reporters of allegations of suspected abuse, neglect, and financial exploitation. However, DHS does not know and does not track if ISC agencies are statutorily meeting the requirement to report all allegations to the four oversight entities: DHS’ Office of Inspector General (OIG), Adult Protective Services (APS) within the Department on Aging, the Department of Children and Family Services (DCFS), and the Department of Public Health (DPH). During testing, we did not find any instance of noncompliance by the ISC agencies with the mandated reporting requirement.
DHS does not regularly share allegation information with the ISC agencies. In our sample of 75 individuals receiving waiver services, we identified 41 instances of allegations of abuse, neglect, or financial exploitation from OIG and APS data. We found that ISC agencies had no documentation to support awareness of a known allegation in 30 out of 41 instances. DHS stated that neither DHS nor anyone else is required to inform the ISC agency of an allegation or share the results of an investigation with the ISC agency.
Oversight and Monitoring
It is the primary responsibility of the Grant Management Unit within DDD to provide monitoring and oversight to the ISC agencies based on all activities in the grant agreements. However, DDD failed to adequately oversee and monitor the ISC program. While ISC agencies receive a number of reviews, we found overlapping waiver-focused reviews and limited coordination with the Division.
• DDD has not updated the ISC Manual to reflect the number of required waiver visits found in the FY23 grant agreements. Additionally, DDD has not updated the ISC Manual or the grant agreement to reflect the proper program codes, which was a pre-COVID pandemic change that went into effect more than five years ago.
• ISC agencies are required to complete the person-centered planning process initially and annually. The purpose of the person centered planning process is to gather information about an individual’s interests, preferences, and abilities and to outline the delivery of services. During testing, we found missing or not timely discovery tool or personal plan updates in at least one fiscal year for 33 of 75 individuals sampled.
• ISC agencies are also responsible for conducting monitoring visits to ensure implementation of the personal plan, as well as ensure the health, safety, and welfare of individuals receiving developmental disability services. During testing, we found only 86 percent of the required visits were conducted for the 75 individuals sampled.
• DHS did not monitor the Americans with Disabilities Act (ADA)/Olmstead Outreach and Housing Navigator pilot programs. These programs were new for FY23 and provided a total of $725,000 in funding to the ISC agencies. DHS failed to request grant funds back from one ISC agency, Champaign County Region Planning Commission, who received more than $49,000 in funding for both programs, yet admittedly did not conduct any of the required activities for either program. We reviewed Housing Navigator program information and found three out of eight ISC agencies did not secure housing for a single individual as part of the Housing Navigator program. Additionally, the ISC agencies did not always provide complete information on the required grant deliverables, and did not always conduct the training, presentations, and meetings as required.
The audit report contained 12 recommendations directed to the Department of Human Services. The Department agreed with the recommendations.
REGIONAL OFFICES OF EDUCATION AUDITS
In addition to other duties, the Auditor General has the responsibility for annual audits of the financial statements of the regional superintendent of schools of each educational service region in the State.
There were a total of 38 Fiscal Year 2023 audits the Performance Audit Division
had the responsibility for: 35 of Regional Offices of Education (ROEs) and 3 of
Intermediate Service Centers (ISCs). Our Office arranged for auditing firms to
perform these audits under the general direction and management of the Auditor
General’s audit managers.
The FY23 ROE audits released in 2024 contained a total of 13 recommendations for improvement. Most of the recommendations dealt with the ROEs not having sufficient internal controls including controls over their financial reporting processes
PERFORMANCE AUDITS IN PROGRESS
HFS MEDICAID SERVICES FOR UNDOCUMENTED IMMIGRANTS
On November 7, 2023, the Legislative Audit Commission adopted Resolution Number 165, which directed the Office of the Auditor General to conduct a performance audit of the Department of Healthcare and Family Services’ (HFS) administration of the program of Medicaid services and coverage provided to undocumented immigrants. The audit was to specifically include, but not be limited to, the following determinations:
1.) A review of HFS’ initial program enrollment and cost estimates for fiscal years 2021, 2022, and 2023 for Medicaid services for undocumented immigrants;
2.) A review of the actual program enrollment numbers and amount of money expended for fiscal years 2021, 2022, and 2023 for Medicaid services for undocumented immigrants;
3.) The cost for each level of expansion of Medicaid services for undocumented immigrants for fiscal years 2021, 2022, and 2023;
4.) The cost by category of service for Medicaid services for undocumented immigrants for fiscal years 2021, 2022, and 2023; and
5.) An examination of inpatient reimbursement through fee-for-service payments for undocumented immigrants using enhanced rates.
STATE’S BUSINESS ENTERPRISE PROGRAM AND VETERANS BUSINESS PROGRAM
On February 20, 2024, the Legislative Audit Commission adopted Resolution Number 166 which directed the Office of the Auditor General to conduct a performance audit of both the State’s Business Enterprise Program, including the certification program for businesses owned by minorities, women, and persons with disabilities, and the State’s Veterans Business Program. The Resolution directed that the audit, for the period FY22 and FY23, include but not be limited to the following determinations:
1.) Whether certification and recertification procedures are adequate to assure that businesses participating in the Business Enterprise Program are legitimately classified as businesses owned and controlled by minorities, women, or persons with disabilities and that businesses participating in the Veterans Business Program are legitimately classified as a Veteran Owned Business;
2.) Whether the established procedures and processes that govern certification of businesses owned and controlled by minorities, women, persons with disabilities, or veterans are being followed;
3.) Whether staff responsible for certification of these businesses have received adequate training;
4.) What steps are followed to verify information provided by businesses participating in the Business Enterprise Program and the Veterans Business Program, such as review of pertinent documentation, interviews, and on-site visits;
5.) Whether the certifications are periodically reviewed to ensure that businesses in the programs continue to be qualified for participation; and
6.) Whether procedures for enforcing compliance, including contract termination and contractor suspension, are adequate and uniformly enforced.
IEMA’S ADMINISTRATION OF CONTRACTS AND STAFFING
On May 20, 2024, the Legislative Audit Commission adopted Resolution Number 167 which directed the Office of the Auditor General to conduct a performance of the Illinois Emergency Management Agency’s administration of contracts and staffing.
The Resolution directed that the audit, for the period FY22 and FY23, include but not be limited to the following determinations:
1.) An examination of contracts, specifically contracts that include billable hours, to determine: the purpose of the contracts, the extent contracts were monitored, whether billings were adequately supported, and whether all deliverables were met;
2.) An examination of the organizational structure at IEMA to determine the number of unfunded positions, the number of funded positions, the number of vacant positions, and whether any IEMA official/employees had involvement with outside contractors;
3.) The amount of overtime incurred including an analysis of the types of positions incurring overtime, the approval process for the overtime payment requests, and, if any overpayments have been processed, whether IEMA has collected the overpayments.
MEDICAID ELIGIBILITY DETERMINATIONS FOR LONG-TERM CARE
On August 25, 2017, the Governor signed into law Public Act 100-380 which amended the Public Aid Code. This amendment to the Public Aid Code requires the Auditor General to report every three years to the General Assembly on the performance and compliance of the Department of Healthcare and Family Services (HFS), the Department of Human Services (DHS), and the Department on Aging in meeting the requirements placed upon them by Section 11- 5.4 of the Public Aid Code and federal requirements concerning eligibility determinations for Medicaid long term care services and supports. This is the third audit conducted.
The audit is to, at a minimum, review, consider, and evaluate the following:
• Compliance with federal regulations on furnishing services as related to Medicaid long-term care services and supports as provided under 42 CFR 435.930 – i.e., furnish Medicaid promptly to beneficiaries without any delay caused by the agency’s administrative procedures;
• Compliance with federal regulations on the timely determination of eligibility as provided under 42 CFR 435.912 – i.e., the determination of eligibility for any applicant may not exceed: (i) Ninety days for applicants who apply for Medicaid on the basis of disability; and (ii) Forty-five days for all other applicants;
• The accuracy and completeness of the report required under paragraph (9) of subsection (e) (following Public Act 100-665, 305 ILCS 5/11- 5.4(f)) – i.e., monthly reports posted to the DHS and HFS websites on the applications and redeterminations pending LTC eligibility determination and admission and the number of appeals of denials in given categories;
• The efficacy and efficiency of the task-based process used for making eligibility determinations in the centralized offices of the Department of Human Services for long-term care services, including the role of the State’s integrated eligibility system, as opposed to the traditional caseworker-specific process from which these central offices have converted; and
• Any issues affecting eligibility determinations related to the Department of Human Services’ staff completing Medicaid eligibility determinations instead of the designated single- state Medicaid agency in Illinois, the Department of Healthcare and Family Services.
DCFS CHILD SAFETY AND WELL-BEING
Public Act 101-0237 was enacted on August 9, 2019, and it amended both the Children and Family Services Act (20 ILCS 505) and the Abused and Neglected Child Reporting Act (325 ILCS 5). The Public Act also directed the Auditor General to conduct a performance audit one year after the effective date of January 1, 2020. The audit is to determine if the Department of Children and Family Services (DCFS) is meeting the requirements of the Public Act. Within two years of the audit’s release, the Auditor General is to conduct a follow-up performance audit in order to determine if DCFS has implemented the recommendations within the initial performance audit. The initial audit was released in May of 2022. The follow-up audit is in process.
REGIONAL OFFICES OF EDUCATION
Since 2002, the School Code (105 ILCS 5/2-3.17a) has required the Auditor General’s Office to conduct annual audits of the financial statements of all accounts, funds, and other moneys in the care, custody, or control of the regional superintendent of schools of each educational service region in the State. For Fiscal Year 2024, a total of 38 audits are to be performed.
OAG FRAUD HOTLINE
The Auditor General’s Office is required by law [30 ILCS 5/2-15, added by P.A. 97-261, effective August 5, 2011] to operate a toll-free fraud hotline for the public to report allegations of fraud in the executive branch of State government. The hotline went into operation at the beginning of January 2012.
The toll free number is 1-855-217-1895. The hotline is available 24 hours a day, 7 days a week. Live operators are generally available Monday-Friday from 8:00 a.m. to 4:00 p.m. (CST).
In addition to calling the toll-free number, other options have been established for the public to report allegations of fraud. The public may also:
• Complete the Fraud Reporting Form on-line located on the OAG web-site (www.auditor.illinois.gov);
• E-mail a description of the allegation to: Hotline@auditor.illinois.gov;
• Contact the Auditor General via telecommunications device for the disabled (TTY) at 1-888-261-2887; or
• Send a written report via the U.S. Postal Service to the following address:
Fraud Hotline, Auditor General’s Office, 400 West Monroe, Suite 306, Springfield, IL 62704-9849.
Individuals reporting alleged fraud to the hotline may remain anonymous. However, if the individual chooses not to be identified, the Office’s ability to follow up on the allegation may be limited.
More information regarding the reporting of fraud allegations can be found at the Fraud Hotline section of the OAG website. Jurisdiction of the Fraud Hotline does not include the legislative or judicial branches of government, nor units of local government. Other resources the public may use to report fraud if it is outside of the jurisdiction of the OAG can also be found on the website. Even if the Auditor General’s Office does not have jurisdiction over the allegation, our hotline manager will try to direct the caller to another State, federal, or local agency that may be able to help. Image
CONTINUING PROFESSIONAL EDUCATION AND TRAINING REQUIREMENTS
The U.S. Government Accountability Office established Government Auditing Standards (the Yellow Book) for performing high-quality audit work with competence, integrity, objectivity, and independence to provide accountability and to help improve government operations and services.
The Yellow Book standard relating to competence specifies that management must assign auditors to conduct the engagement who collectively possess the competence needed to address the engagement objectives and perform their work in accordance with Generally Accepted Government Auditing Standards (GAGAS).
Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of continuing professional education (CPE) every 2 years.
A minimum 24 hours of that CPE should be directly related to the government environment, government auditing, or the specific or unique environment in which the audited entity operates. The remaining 56 CPE hours should be in subject matter that directly enhances auditors’ professional expertise to conduct engagements. Auditors should complete at least 20 hours of CPE in each year of the 2-year period.
Auditors hired or assigned to a GAGAS engagement after the beginning of the 2-year CPE period may complete a prorated number of CPE hours. Also, auditors who charge less than 20 percent of their time annually to engagements conducted in accordance with GAGAS and are not involved in planning, directing, or reporting on the engagement need only complete the 24-hour requirement.
The most recently completed 2-year period for CPE requirements as measured by the Office of the Auditor General was January 1, 2023, through December 31, 2024. All auditors, audit directors, and information specialists required to meet the CPE standards were in compliance for this 2-year period.
Additionally, the Office of the Auditor General is a registered sponsor with the Illinois Department of Financial and Professional Regulation, and complies with the rules of the Illinois Public Accounting Act.
THE INFORMATION SYSTEMS AUDIT PROGRAM
Computers are an integral part of State government, processing billions of dollars in financial transactions each year and helping control the operations of State agencies. Since financial transactions and confidential information are processed using computers, audits of information system activities are necessary to ensure that computer processing is secure and accurate.
TESTING CONTROLS AND SYSTEMS
The Auditor General’s office plans to continue to emphasize the review of information system controls at State agencies. We performed expanded information system reviews at the following agencies:
Department of Agriculture, Department of Central Management Services, Illinois Commerce Commission, Illinois Community College Board, Office of Comptroller, Illinois Criminal Justice Information Authority, Eastern Illinois University, Illinois Emergency Management Agency and Office of Homeland Security, Department of Employment Security, Governors State University, Department of Healthcare and Family Services, Department of Human Services, Illinois State University, Illinois Liquor Control Commission, Department of Lottery, Northeastern Illinois University, Department of Public Health, Department of Revenue, Office of Secretary of State, Illinois State Board of Investments, Illinois State Board of Elections, State Employee Retirement System, State University Retirement System, Teachers’ Retirement System, Office of Treasurer, Illinois Workers’ Compensation Commission, and Western Illinois University.
To enhance the control environment, the Auditor General has emphasized the review of cybersecurity, networks, access rights, and the security and control of confidential information. These reviews have focused on the necessity of establishing consistent and effective security policies and programs, performing comprehensive risk assessments, and implementing comprehensive security techniques on all computer systems.
ISA FINDINGS
Nine agencies — Chicago State University, Office of Comptroller, Eastern Illinois University, Department of Employment Security, Governors State University, Illinois State University, Northeastern Illinois University, Office of Secretary of State, and Southern Illinois University — had not established adequate controls for securing their computer resources.
We recommended that these agencies evaluate their computer environments and ensure adequate security controls and policies exist to safeguard computer resources.
Eight agencies — Department of Employment Security, Governors State University, Illinois Conservation Foundation, Illinois Liquor Control Commission, Department of Public Health, Office of Secretary of State, Southern Illinois University, and Western Illinois University — had not completed all requirements to demonstrate full compliance with the Payment Card Industry Data Security Standards. We recommended that these agencies at least annually, assess each program accepting credit card payments, review and validate its environment, and ensure agreements with service providers are current and maintained.
Twelve agencies — Chicago State University, General Assembly Retirement System, Governors State University, Illinois Gaming Board, Illinois State University, Judges’ Retirement System, Department of Labor, Northeastern Illinois University, Illinois State Board of Elections, State Employee Retirement System, Southern Illinois University, and Western Illinois University — had not implemented effective change management processes to ensure changes to computer applications were properly approved, tested, and documented. We recommended that these agencies develop and implement change management standards to ensure adequate oversight of all changes to computer applications.
Nineteen agencies — Abraham Lincoln Presidential Library and Museum, Illinois Board of Higher Education, Office of Comptroller, Illinois Court of Claims, Illinois Criminal Justice Information Authority, Department of Employment Security, General Assembly Retirement System, Governors State University, Illinois Finance Authority, Judges’ Retirement System, Department of Labor, Illinois Liquor Control Commission, Office of Secretary of State, Illinois State Board of Elections, State Employee Retirement System, Southern Illinois University, University of Illinois, Western Illinois University, and Illinois Workers’ Compensation Commission — had not developed or implemented access provisioning policies to ensure access rights to computer systems were properly controlled. We recommended that these agencies develop and implement access provisioning policies to ensure access rights are approved, disabled timely, and periodically reviewed.
Thirty-eight agencies — Department of Agriculture, Illinois Arts Council and Foundation, Illinois Board of Higher Education, Chicago State University, Illinois Community College Board, Office of Comptroller, Illinois Council on Developmental Disabilities, Illinois Court of Claims, Illinois Criminal Justice Information Authority, Illinois Deaf and Hard of Hearing Commission, Eastern Illinois University, Illinois Emergency Management Agency and Office of Homeland Security, Department of Employment Security, Illinois Executive Ethics Commission, Illinois Executive Office of Inspector General, Illinois General Assembly, Governors State University, Illinois Guardianship and Advocacy Commission, Department of Healthcare and Family Services, Illinois Housing Development Authority, Illinois Workers’ Compensation Commission, Illinois Conservation Foundation, Illinois State University, Independent Tax Tribunal Board, Illinois Liquor Control Commission, Northeastern Illinois University, Department of Public Health, Department of Revenue, Office of Secretary of State, Southern Illinois University, Illinois State Board of Education, Illinois State Board of Elections, Illinois State Board of Investment, State Universities Retirement System, Illinois Supreme Court, Teachers’ Retirement System, Office of Treasurer, and Western Illinois University — did not perform and document internal control reviews of all external data processing related service providers. We recommended that these agencies obtain or perform independent reviews of internal controls associated with service providers at least annually.
Twenty-five agencies — Abraham Lincoln Presidential Library and Museum, Department of Agriculture, Illinois Arts Council and Foundation, Chicago State University, Illinois Community College Board, Office of Comptroller, Illinois Council on Developmental Disabilities, Illinois Criminal Justice Information Authority, Illinois Deaf and Hard of Hearing Commission, Department of Human Rights, Department of Lottery, Illinois Educational Labor Relations Board, Illinois Emergency Management Agency and Office of Homeland Security, Department of Employment Security, Illinois Executive Ethics Commission, Illinois Executive Office of Inspector General, Department of Healthcare and Family Services, Illinois Workers’ Compensation Commission, Illinois State University, Independent Tax Tribunal Board, Department of Labor, Illinois Liquor Control Commission, Illinois Mathematics and Science Academy, Illinois State Board of Elections, and State Universities Retirement System — had not adequately developed or tested recovery plans to provide for continuation of critical computer operations in the event of a disaster. We recommended that these agencies develop and test disaster contingency plans.
Cybersecurity Audits
Public Act 100-914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of January 1, 2019.
Sec. 3-2.4. Cybersecurity audit.
A.) In conjunction with its annual compliance examination program, the Auditor General shall review State agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information.
B.) The review required under this Section shall, at a minimum, assess the following:
1. the effectiveness of State agency cybersecurity practices;
2. the risks or vulnerabilities of the cybersecurity systems used by State agencies;
3. the types of information that are most susceptible to attack;
4. ways to improve cybersecurity and eliminate vulnerabilities to State cybersecurity systems; and
5. any other information concerning the cybersecurity of State agencies that the Auditor General deems necessary and proper.
C.) Any findings resulting from the testing conducted under this section shall be included within the applicable State agency’s compliance examination report.
To address the amendment, on the compliance examinations, we did the following:
• Updated the Compliance Audit Guide to include specific questions concerning cybersecurity practices, policies and procedures, training, roles and responsibilities, risk assessments, and data classifications. In addition, we provided guidance to assist audit staff and contractors in obtaining and reviewing documentation to support responses.
• Performed detailed testing at 24 agencies as part of the June 30, 2023 compliance examinations. We provided these agencies with detailed information regarding our analysis and, if appropriate, we developed findings.
• Performed follow up procedures for any entity that had a cybersecurity finding reported in their previous report as required by Government Auditing Standards.
As a result of our processes, we identified significant weaknesses at 46 agencies:
Abraham Lincoln Presidential Library and Museum, Department of Agriculture, Illinois Arts Council and Foundation, Illinois Board of Higher Education, Department of Central Management Services, Chicago State University, Illinois Commerce Commission, Illinois Community College Board, Office of Comptroller, Illinois Council on Developmental Disabilities, Illinois Criminal Justice Information Authority, Illinois Deaf and Hard of Hearing Commission, Department of Human Rights, Department of Lottery, Eastern Illinois University, Illinois Educational Labor Relations Board, Illinois Emergency Management Agency and Office of Homeland Security, Department of Employment Security, Illinois Executive Ethics Commission, Illinois Executive Office of Inspector General, Illinois General Assembly, Office of Governor, Governor’s Office of Management and Budget, Governors State University, Illinois Guardianship and Advocacy Commission, Department of Healthcare and Family Services, Illinois Finance Authority, Illinois State University, Independent Tax Tribunal Board, Department of Labor, Illinois Legislative Reference Bureau, Office of Lieutenant Governor, Illinois Liquor Control Commission, Illinois Mathematics and Science Academy, Northeastern Illinois University, Department of Public Health, Office of Secretary of State, Southern Illinois University, Illinois State Board of Elections, Illinois State Board of Investment, State Universities Retirement System, Illinois Supreme Court, Teachers’ Retirement System, University of Illinois, Western Illinois University, and Illinois Workers’ Compensation Commission.
To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they:
• Establish and document cybersecurity roles and responsibilities.
• Establish and communicate policies, procedures and processes to manage and monitor the regulatory, legal, environmental and operational requirements.
• Perform a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.
• Classify data to establish the types of information most susceptible to attack to ensure adequate protection.
• Ensure all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.
• Evaluate and implement appropriate controls to reduce risk of attack.
We will continue to review cybersecurity programs and practices in our June 30, 2024 compliance examinations.
Agency officials generally concurred with our recommendations concerning these issues.
The information systems audit staff and contractors also reviewed and tested the systems and procedures at the Department of Innovation and Technology for the year ended June 30, 2024. We released three System and Organization Control (SOC) Reports regarding the Department’s control environment.
Information Technology Hosting Services -
the Department provides Information Technology Hosting Services for state agencies.
This SOC Report contained a qualified opinion as a result of the controls related to the trust services criteria stated in the “State of Illinois, Department of Innovation and Technology’s Description of its Information Technology Hosting Services System” were not suitably designed to provide reasonable assurance the trust services criteria would be achieved.
Information Technology Shared Services -
the Department provides Information Technology Hosting Services for state agencies.
This SOC Report contained a qualified opinion as a result of the controls related to the control objectives stated in the “Description of the Information Technology Shared Services System” were not suitably designed or did not operate effectively to provide reasonable assurance the control objectives would be achieved.
State of Illinois, Enterprise Resource Planning System -
the Enterprise Resource Planning System is utilized by state agencies.
This SOC Report contained an unqualified opinion.
As a result of the modified opinions, auditors of these agencies will likely modify the agency-level risk assessments to accommodate the additional risk to agencies and perform additional procedures to properly address these risks.
Department officials accepted the recommendations in the SOC reports.
OTHER OFFICE RESPONSIBILITIES
ANNUAL AUDIT ADVISORY
Every year, the Auditor General’s Office distributes an Illinois Audit Advisory to all State agencies for the purpose of sharing information that may make their operations more efficient and effective, and increase compliance with State law. Copies of this audit advisory are available on our website at: www.auditor.illinois.gov.
COMPTROLLER’S ACCOUNTING SYSTEM REVIEW
The Auditor General is required by law to annually review the Comptroller’s Statewide accounting system. This review is accomplished through the Office’s audit of the State Comptroller, and by ensuring that all agency audits are performed in accordance with the Auditor General’s Audit Guide.
In addition, the Auditor General annually reviews the State Comptroller’s pre-audit function. Pre-audit is the primary control over expenditure voucher processing. The State Comptroller pre-audits financial transactions to determine if they are proper and legal.
PEER REVIEW
Peer review is an external quality control review conducted every three years by audit professionals from across the United States who are selected by the National State Auditors Association. The peer review helps to ensure that our procedures meet all required professional standards, comply with Government Auditing Standards and produce reliable products for the agencies we audit.
The September 2023 peer review of the Auditor General’s audit processes resulted in an unmodified (clean) opinion. Additionally, the peer review team did not note any deviations from professional standards that would have required a written letter of comments. Our prior peer reviews, conducted in 1996, 1999 and 2002, 2005, 2008, 2011, 2014, 2017 and 2020 likewise resulted in unmodified opinions. Our next peer review is slated for 2026.
STATE ACTUARY
Public Act 97-694, effective June 18, 2012, directed the Auditor General to “contract with or hire an actuary to serve as the State Actuary.” Among its duties, the State Actuary is required to “review assumptions and valuations prepared by actuaries retained by the boards of trustees of the State-funded retirement systems” and “issue preliminary reports...concerning proposed certifications of required State contributions submitted to the State Actuary by those boards.” [30 ILCS 5/2-8.1 (a) and (b)] In addition, Public Act 100-465, effective August 31, 2017, added a similar requirement for the State Actuary to review the Public School Teachers’ Pension and Retirement Fund of Chicago. [40 ILCS 5/17-127(e)] Through a competitive proposal process, the Auditor General awarded a contract in August 2012 to Cheiron, a full-service actuarial and consulting firm.
Cheiron issued its preliminary reports to the public retirement systems on November 26, 2024. As required by statute, the Auditor General submitted a written report to the General Assembly and Governor on December 19, 2024, documenting the initial assumptions and valuations prepared by the actuaries retained by the boards of trustees of the State-funded retirement systems, the State Actuary’s preliminary reports, and the responses of each board to the State Actuary’s recommendations. The report is available in its entirety on our website at www.auditor.illinois.gov.
CLAIMS DUE THE STATE AND METHODS OF COLLECTION
As required by law [30 ILCS 205/2 (k)], the Office of the Auditor General is reporting that there were no outstanding claims administered by the Office that were due and payable to the State as of December 31, 2024. The accounts receivables generated by our Office primarily represent billings to other State agencies for reimbursement of audit costs. Reimbursements for federal single audits are deposited into the General Revenue Fund. Reimbursements for audits not associated with federal single audits are deposited or transferred to the Audit Expense Fund. If normal collection methods fail, we request assistance from the Office of the Attorney General. To date we have never used the services of a private collection agency.
SUMMARY OF APPROPRIATIONS AND EXPENDITURES
The Office of the Auditor General was funded by appropriations from the General Revenue Fund and Audit Expense Fund for Fiscal Year 2024 (July 1, 2023 to August 31, 2024, including lapse period).
FY 2024 - FINAL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Appropriation . . . . . .Expended . . . . . . . Balance
GRF Operations:
Personal Services . . . . . . . . . . . . . . . . $7,500,000 . . . . . . . . . 6,255,285 . . . . . . . .$1,244,715
Social Security . . . . . . . . . . . . . . . . . . . . $600,000 . . . . . . . . . .$455,241. . . . . . . . . $144,759
GRF Operations Total . . . . . . . . . . . .$8,100,000 . . . . . . . .$6,710,526 . . . . . . ..$1,389,474
Audit Expense Fund:
Audits/Studies/Investigations
. . . . . . . $33,205,479 . . . . . . . .$31,458,036 . . . . . . .$1,747,443