Volume 27, 2021 Annual Edition
AUDIT ADVISORY
Emerging and Potential Audit Issues
Frank J. Mautino, Auditor General
Auditor General’s Message
The past year has been challenging for the people of Illinois. Thankfully, we are beginning to resume normal operations. As our State agencies return to work and resume day-to-day responsibilities, I want to thank the employees, managers, and State leaders for their diligence as we work our way through the pandemic.
This issue of the Audit Advisory discusses Independence requirements for report preparation and census data as it relates to pension and other post-employment benefits (OPEB).
Increases in technology have created opportunities for efficiencies in auditing and reporting but have also exposed risk, vulnerabilities, and challenges. State agencies must strengthen their internal controls in order to combat and defend against the increasing threat of cyber-criminal operations. This issue will discuss cyber security reviews which are being conducted as a direct result of legislation passed by Representative Jamie Andrade and Senator Laura Ellman.
The enterprise resource planning system (ERP) is now online for financial reporting. Even before COVID-19 paralyzed our agencies, we experienced inordinate delays in agency management’s preparation of financial statements and related note disclosures. These delays adversely impacted the timeliness and accuracy of State reporting. Moving towards a single state-wide reporting system should improve the timeliness of financial reporting. As we move to more normal operations, we should remember the success of our government relies on the fundamental principles of accountability, transparency, and diligence.
Report Component Preparation
Due to changes in independence requirements, effective June 30, 2020, the Office of the Auditor General (OAG) requires auditees, without auditor assistance, to prepare the report components comprising the Supplementary Information for State Compliance Purposes usually found within the OAG’s compliance reports. To help facilitate this change, the OAG published guidance on its website for auditees to follow in preparing these report components (see link below). It is important for all auditees to review this document in its entirety and prepare the various report components in accordance with this guidance. Failure to materially prepare report components in a timely manner in accordance with this guidance may result in findings.
While we do not express an opinion, a conclusion, or provide any assurance on these report components, we read them to identify potential errors based on our knowledge of the auditee and, where possible, compare or reconcile the information to the auditee’s records examined during the compliance examination. If we identify any potential errors, we will bring the matter to the attention of the auditee’s management to ideally either correct the error or demonstrate why the disclosure is complete and accurate.
Recent audits have found that some auditees have inadequate internal controls to both:
(1) prepare the report components, and
(2) demonstrate the report components prepared by agency management were complete and accurate.
Compliance examinations stress the fundamentals of governmental accountability, including providing transparency about the auditees’ fiscal and administrative controls and whether the auditees’ resource utilization was efficient, effective, and in compliance with applicable law. Failure to prepare accurate and complete report components hinders the ability of users of compliance examination reports to obtain additional analysis of the auditees’ operations.
OAG Guidance on Report Component Preparation
http://auditor.illinois.gov/Other-Public-Documents/Report-Component-Templates.asp
Cybersecurity Reviews
Public Act 100-0914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of January 1, 2019.
As outlined in the 2020 Audit Advisory, we incorporated a review of Cybersecurity into the standard compliance examination program and also performed detailed testing at approximately 20 agencies in both the June 30, 2019 and 2020 examinations. We used the following general criteria in our examinations to determine if agencies had:
1. Established and documented cybersecurity roles and responsibilities.
2. Established and communicated policies, procedures, and processes to manage and monitor the regulatory, legal, environmental, and operational requirements.
3. Performed a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.
4. Classified data to establish the types of information most susceptible to attack to ensure adequate protection.
5. Ensured all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.
6. Evaluated and implemented appropriate controls to reduce the risk of attack.
We identified significant weaknesses at 29 agencies (from reports released through July 14, 2021) and the table below summarizes our findings. (Please see PDF version of this Advisory to view the exhibit.) To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they ensure that the six areas identified above are adequately addressed. We will continue to emphasize the review of cybersecurity programs and practices in future compliance examinations.
Census Data Testing
Several recent audits have found significant issues related to a lack of census data reconciliation. Census data is demographic data (such as date of birth, gender, and years of service) of the active, inactive, or retired members of a pension plan or OPEB (other postemployment benefits) plan. The plans are responsible for inactive and retired members. However, employers (State agencies, universities, etc.) are responsible for submitting accurate census data information on active employees to the plans.
Recent audits have found that agencies have not performed an initial complete reconciliation of its census data to establish a base year of complete and accurate census data. Agencies have also not developed a process to annually obtain incremental changes from the retirement plans and the Illinois Department of Central Management Services (CMS) to reconcile those changes back to internal supporting records.
Actuaries depend on employer-provided census data reported to the plans being complete and accurate. Failure to reconcile active members’ census data could result in each plan’s actuary relying on incomplete or inaccurate census data. This could lead to misstatements of the agencies’ pension and OPEB amounts.
For agencies with financial statements audits, we are in the process of changing how we approach census data testing. We have engaged with our Special Assistant Auditors assigned to the plan audits to perform the employer-level census data testing simultaneously with the plan-level census data testing they were already performing. This change will result in a new examination opinion (AT-C § 205 report) being issued for agencies. The auditors of the relevant plan will issue the AT-C § 205 report on the accuracy and completeness of an agency’s census data each year and then this opinion will be used as evidence by the financial statement auditors assigned to the audit in forming their opinion on the financial statements.
All agencies will be asked by the plans to perform a baseline reconciliation. The State Retirement System has begun issuing guidance on how the initial reconciliation will be performed for agencies in their plans (SERS, GARS, & JRS). Because of the relationship between pension and OPEB census data, the pension plan reconciliations will be sufficient to cover the reconciliation for both pension and OPEB. We expect the State Universities Retirement System to issue guidance on the initial reconciliation to be performed for the universities.
[State and University Employees are members of one of the State retirement systems for their pensions and a group insurance program sponsored by CMS for their OPEB.]
[Recent Finding Example: The agency did not have a reconciliation process to provide assurance census data submitted to its pension and OPEB plans was complete and accurate.]
Personnel Changes
Our Office has undergone some changes with valued members of our team retiring and the addition of new members to our management team.
New Additions/Promotions:
• Margaret Livingston – Maggie is our Chief Legal Counsel starting with the Office in February 2021. She earned her undergraduate degree from Haverford College and her law degree at Chicago-Kent College of Law. Prior to joining the Office, Maggie was Assistant Counsel in the Illinois House of Representatives.
• Sara Metzger – Sara has been with the Office since August 2008 and was recently promoted to Assistant Director of the Financial/Compliance Division. She was previously the Statewide Financial Audit Manager and has participated in numerous peer reviews of other states. Sara is a CPA and CIA, earning her undergraduate degree at Illinois College and her graduate degree at the University of Illinois Springfield.
Retirements:
• Becky Patton – Becky was the Chief Legal Counsel for more than 28 years, beginning with the Office in September 1992. She earned her undergraduate degree and her law degree from the University of Illinois. Becky’s wealth of knowledge of the law, State government, and the Office itself were unmatched and will be greatly missed.
• Elvin Lay – Elvin served many years in State government before coming to the Office in February 2013. He earned his undergraduate degree at the University of Central Texas and his graduate degree at the University of Illinois Springfield. Elvin was the Assistant Director of the Financial/Compliance Division at the time of his retirement.
New Public Acts
Two new Public Acts were passed recently which impact the Office of the Auditor General:
Public Act 102-0061 (House Bill 368)
This law deals with the Office’s ability to review confidential tax records at the Illinois Department of Revenue. Prior to the change, State law only allowed payroll employees of the Office to review confidential income tax records. The change in law allows the Office to seek approval from the Internal Revenue Service (IRS) to grant the Office’s contractual employees and audit firms the ability to review federal tax information. Firms that contract with our Office to perform audits have the same rigorous procedures to protect confidential information as the Office. After approval by the IRS, they will now be able to use their own staff to complete audit procedures, which will enable firms to review audit evidence supporting their audit opinions, enhance cost effectiveness, and improve timeliness.
Public Act 102-0025 (House Bill 1934)
This laws impacts annual financial audits performed by the Office of Regional Offices of Education (ROEs). Prior to the change, ROEs were required to use the GAAP basis of accounting to prepare financial statements. The change in law now allows ROEs to utilize a cash basis, modified cash basis, or GAAP basis of accounting. This change will allow ROEs to prepare financial statements in a timelier manner which will also result in more timely completion of the annual financial audits.
Performance Audit Award
In April 2021, the Office was awarded the NSAA Excellence in Accountability Award for its performance audit of the Illinois Department of Children and Family Services Investigations of Abuse and Neglect. The audit was conducted pursuant to House Resolution Number 418 which specifically required the audit to include a review of abuse and neglect investigations conducted by the Department in FY15, FY16, and FY17. The report contained a total of 13 recommendations to the Department. Mike Paoni, Assistant Director of the Performance Audit Division, was the manager of the audit.
###
Contact Information:
Office of the Auditor General
Iles Park Plaza, 740 East Ash Street
Springfield, Illinois 62703-3154
Michael A. Bilandic Building,
160 N. LaSalle Street, Suite S-900
Chicago, Illinois 60601-3109
Phone: 217-782-6046
Fax: 217-785-8222
TTY: 1-888-261-2887
Fraud Hotline: 1-855-217-1895
E-mail: oag.auditor@illinois.gov
Website: www.auditor.illinois.gov