Volume 24, 2018 Annual Edition

AUDIT ADVISORY

Emerging and Potential Audit Issues


Frank J. Mautino, Auditor General

 

_______________________________________________________________________________ 

 

Auditor General’s Message

 

The Illinois State Auditing Act requires the Auditor General’s Office to conduct financial audits, compliance examinations, and other attestation agreements in accordance with all applicable professional standards current at the time the engagement is commenced. Such standards include Government Auditing Standards issued by the U.S. General Accountability Office. 

A compliance audit examines many operational areas of the State agency.   Such areas include planning, internal control, personal services, contractual services, travel, commodities, printing, state property, electronic data, telecommunications, internal auditing, etc.

In all engagements the auditors obtain an understanding of the entity and its environment to assess the risk for the engagement and to design the nature, timing, and extent of further audit procedures.  For a financial audit it is the risk of material misstatement due to error or fraud.  For a compliance examination it is the risk of material noncompliance whether intentional or unintentional.

Government Auditing Standards requires auditors to design the engagement to detect instances of fraud and noncompliance with provisions of laws, regulations, contracts, and grant agreements that may have a material effect on the engagement. 

The Office also reviews the State’s data processing systems. Since 2016, the Department of Innovation & Technology (DoIT) provides data processing services to approximately 100 user agencies.  DoIT and the agencies that use the computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.  The Office of the Auditor General’s Information Systems Audit Division annually performs a Service Organization Control (SOC) Review of DoIT’s computer operations.  The primary purpose of the SOC Review is to provide auditors with assurance that the general and common systems’ application controls are adequate. See page 2 for results of the 2018 SOC Review.

_______________________________________________________________________________ 

 

Financial Audit and Attestation Compliance Examinations – Adverse Opinion Issuances

 

During the latest round of financial audits and compliance examinations released since our last Illinois Audit Advisory, we have observed a significant increase in the number of adverse opinions issued. An adverse opinion is issued when auditors conclude errors, misstatements, and/or omissions are so significant and pervasive the financial statements are not fairly presented or the agency did not comply with the assertions comprising a compliance examination. The following list identifies some proactive steps agency management can take to improve controls to help ensure a smooth audit process:

• The primary responsibility of State agencies is to administer the functions given to them by the General Assembly in accordance with State law as written.  Is management aware of any laws or rules the agency is not following?  Are there ambiguities in the law or rules that need clarification before the measurement and valuation of transactions is negatively impacted?  What proactive corrective actions have been taken to fix the problem?

• A good system of internal control includes ensuring the continuity of operations, including in the event of an employee’s temporary absence, planned retirement date, or unexpected separation.  Has management cross-trained its employees to perform all key functions?  Is the disaster recovery plan up-to-date and recently tested?

• A good system of internal control includes ensuring audit trails exist and the agency’s functions, decisions, and transactions are documented.  Do legal and fiscal staff provide input before key decisions are made to the agency’s operations?  Does front-line staff delivering services have a process to document their activities?  Does management actively review, at least on a sample basis, the work of its staff?

_______________________________________________________________________________ 

 

Other Post Employment Benefit (OPEB) Changes are Here

 

As of June 30, 2017, the unfunded actuarial accrued liability of the State’s OPEB plan totaled $38.1 billion.  In addition, the State is a governmental nonemployer contributing entity for the Teacher and Community College OPEB plans, with required contributions of $109.7 million and $4.3 million, respectively, in Fiscal Year 2017. 

The Governmental Accounting Standards Board (GASB) has adopted Statement No. 75.  Statement No. 75, Accounting and Financial Reporting for Postemployment Benefits Other Than Pensions, establishes new accounting and financial reporting requirements for governments that provide their employees with OPEB and governments that help pay for OPEB benefits for the employees of other governments.

The changes are designed to improve the usefulness of reported OPEB information and to increase the transparency, consistency, and comparability of OPEB information across governments.  The Statement relates to accounting and financial reporting issues only – how OPEB costs and obligations are measured and reported in audited external financial reports.  The Statement does not address how governments approach OPEB plan funding – a government’s policy regarding how much money it will contribute to its OPEB plans each year.

Beginning in fiscal year 2018, GASB Statement No. 75 requires employers and governmental nonemployer contributing entities to change the way they calculate and report the costs and obligations associated with OPEB. The State of Illinois is required to report the State’s entire net OPEB liability for the State plan and the State’s proportionate share of the collective net OPEB liability for the Teacher and Community College plans.  In addition, individual agencies and component units that present financial statements are required to report their proportionate share of the net OPEB liability for the State plan.

The net OPEB liability is the amount of liability that exceeds net assets.  These changes are similar to the changes to pension accounting and reporting made by GASB Statement No. 68, in effect beginning in State fiscal year 2015.

______________________________________________________________________________ 

 

Information Systems Audits

 

The Illinois Department of Innovation & Technology (DoIT), formed by Executive Order in 2016, was codified as a State agency on July 20, 2018 when PA 100-611 became law.

DoIT has assumed responsibilities for the State’s IT decisions and spending, including Information Technology infrastructure and functions for over 35 State agencies.   Commencing on July 1, 2016, DoIT and the 35 agencies were to work together in order to “transfer all relevant functions, employees, property, and funds” to DoIT.  As we reviewed the transfer in our 6-30-17 compliance examinations, we found that Intergovernmental Agreements between DoIT and the agencies often did not address the security, processing, integrity, availability and confidentiality of systems and data.  We recommended each agency enter into a detailed agreement with DoIT to ensure prescribed requirements and available security mechanisms are in place to protect the security, processing integrity, availability, and confidentiality of its systems and data.

In a related manner, beyond the 35 agencies included in the transfer, DoIT provides IT services, general controls, and application controls for another 68 agencies. We released a Service Organization Control Report (SOC), Type 1 regarding DoIT’s control environment in August of this year.  

The SOC Report contained an adverse opinion as a result of:

• DoIT’s Description of System contained inaccuracies and omissions.

• The controls stated in its Description of System were not suitably designed to provide reasonable assurance that the control objectives would be achieved.

• The controls stated in its Description of System were not operating effectively.

As a result of this adverse opinion, auditors of these agencies will likely modify the agency-level risk assessment to accommodate the additional risk to agencies and perform additional procedures to properly address these risks.

If you are one the agencies that uses the IT services provided by DoIT, we suggest you review the SOC report to obtain an understanding of the control environment as it relates to your agency. The report is available on our website - http://www.auditor.illinois.gov.

_______________________________________________________________________________ 

 

SEFA Preparation Process

 

The Office of the Auditor General has been working closely with the Governor’s Office of Management and Budget (GOMB) and the Grant Accountability and Transparency Unit (GATU) to transition the responsibility of preparing the State’s Schedule of Expenditures of Federal Awards (SEFA). State Agencies will need to work with GOMB and GATU to potentially alleviate reporting issues within their agencies beginning with the FY’19 SEFA reporting process. The migration of the responsibility will move the State forward in addressing the audit concern of the State’s current process being overly dependent on the post-audit program.

_______________________________________________________________________________ 

 

Performance Audit of the State’s Leasing Decision

 

House Joint Resolution Number 63 directed the Auditor General to conduct a performance audit of the State’s decision to enter into a five-year $2.4 million lease for property at 2410 South Grand Ave. East. The Resolution contained 11 specific determinations including:

• The justification for the space request;

• Whether CMS conducted a cost-benefit analysis of purchasing instead of leasing; and

• Whether relationships played a role in the lease.

The audit was released in May 2018 and contained 10 recommendations directed to four different agencies.

The decision to enter into the lease actually involved two different leases – one for a file storage warehouse and one for an IT and Telecommunications Support Center.  After the winning vendors were selected but prior to the final award, the Department of Central Management Services (CMS) switched the purposes of the leases and the using agencies. However, CMS violated a provision of the Illinois Procurement Code by awarding leases to vendors who were not qualified respondents for the leases awarded.  In addition:

• Offers were evaluated and awards selected based on the requirements set forth in the solicitation document.  These requirements were then changed.

• Other responders did not get the opportunity to change their bids to meet the new lease requirements violating the principle of fair and equal treatment.

• By not rebidding, CMS may have excluded potential bidders who were not afforded the opportunity to bid on the new space requirements.

• The information provided by CMS to the Procurement Policy Board for the Department of Human Services warehouse lease was misleading and incomplete which hampered the Board’s ability to review the lease.  A draft version of the information sent to the Board contained additional language explaining the switching of leases but it was removed in the final version sent to the Board.

_______________________________________________________________________________ 

 

Performance Audit of Managed Care Organizations

 

House Resolution Number 100 directed the Office of the Auditor General to conduct an audit of Medicaid Managed Care organizations for State fiscal year 2016.    The Resolution contained nine specific determinations coving areas such as:

• whether encounter data was used by HFS to set capitation rates;

• the aggregate amount of MCO capitation payments made to MCOs;

• what administrative costs were paid to MCOs;

• the average payout ratio for all MCOs; and

• the denial rates for MCOs.

On January 25, 2011, Public Act 96-1501, amended the Illinois Public Aid Code and mandated that HFS increase the percentage of Medicaid clients whose services are paid through managed care organizations (MCOs). 

Unlike traditional fee-for-service Medicaid payments, payments for recipients enrolled in MCOs are based on capitation rates.  Capitation rates are fixed rate monthly payments per enrollee, and are paid regardless of whether the enrollee received services during that month. 

The cost for managed care increased from $212.8 million in fiscal year 2008 to $7.11 billion in fiscal year 2016.  During the same period, fee-for-service costs decreased from $10 billion to $7.6 billion. 

The audit was released in January 2018 and concluded that HFS did not maintain the complete and accurate information needed to adequately monitor $7.11 billion in payments made to the 12 MCOs during State fiscal year 2016.

Several types of information could not be provided by HFS including:

• all paid claims to Medicaid providers by the MCOs in FY16;

• Medicaid provider claims denied by MCOs in FY16;

• the administrative costs incurred by MCOs in FY16;

• the coordinated care costs incurred by MCOs in FY16; and

• Medical Loss Ratio (MLR) calculations since calendar year 2012.  

_______________________________________________________________________________ 

 

Regional Office of Education

 

The Office of the Auditor General conducts annual financial audits of the regional superintendent of schools of each educational service region in the State.  Currently we audit all the 35 Regional Offices of Education (ROE) and 3 Intermediate Service Centers   (ISC) each year.  Our Office has arranged for CPA firms to perform these audits under the general direction and management of the Auditor General. 

The fiscal year 2017 ROE audits released as of August 30, 2018 contained a total of 39 recommendations for improvement.  Most of the recommendations dealt with the ROEs not having sufficient internal controls, including controls over their financial reporting processes.

_______________________________________________________________________________ 

 

Personal Information Protection Act (PIPA)

 

The Personal Information Protection Act (815 ILCS 530/) was amended by PA 99-503 and the new provisions became effective in 2017.

The updated Act expands the definition of personal information to include:

• Such information that was encrypted or redacted, but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security. 

• User name or email address, in combination with a password or security question and answer that would permit access to an online account.

• Medical information.

• Health insurance information.

• Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual.

We suggest you review the Act and update policies and procedures to reflect the changes.

_________________________________________________________________________________________

 

###

 

Contact Information:

 

Office of the Auditor General

Iles Park Plaza, 740 East Ash Street

Springfield, Illinois 62703-3154

 

Michael A. Bilandic Building,

160 N. LaSalle Street, Suite S-900

Chicago, Illinois 60601-3109

 

Phone: 217-782-6046

Fax: 217-785-8222

TTY: 1-888-261-2887

Fraud Hotline: 1-855-217-1895

E-mail:  oag.auditor@illinois.gov

Website:  www.auditor.illinois.gov