27, 2021 Annual Edition
and Potential Audit Issues
Frank J. Mautino, Auditor General
past year has been challenging for the people of Illinois. Thankfully, we are
beginning to resume normal operations. As our State agencies return to work and
resume day-to-day responsibilities, I want to thank the employees, managers,
and State leaders for their diligence as we work our way through the pandemic.
issue of the Audit Advisory discusses Independence requirements for report preparation
and census data as it relates to pension and other post-employment benefits
in technology have created opportunities for efficiencies in auditing and
reporting but have also exposed risk, vulnerabilities, and challenges. State
agencies must strengthen their internal controls in order to combat and defend
against the increasing threat of cyber-criminal operations. This issue will
discuss cyber security reviews which are being conducted as a direct result of legislation
passed by Representative Jamie Andrade and Senator Laura Ellman.
enterprise resource planning system (ERP) is now online for financial reporting.
Even before COVID-19 paralyzed our agencies, we experienced inordinate delays
in agency management’s preparation of financial statements and related note disclosures.
These delays adversely impacted the timeliness and accuracy of State reporting.
Moving towards a single state-wide reporting system should improve the
timeliness of financial reporting. As we move to more normal operations, we
should remember the success of our government relies on the fundamental
principles of accountability, transparency, and diligence.
to changes in independence requirements, effective June 30,
2020, the Office of the Auditor General (OAG) requires
auditees, without auditor assistance, to prepare the report
components comprising the Supplementary Information for State Compliance
Purposes usually found within the OAG’s compliance reports. To help
this change, the OAG published guidance on its website for
auditees to follow in preparing these report components
(see link below). It is important for all auditees to
review this document in its entirety and prepare the various report
components in accordance with this guidance. Failure to
materially prepare report components in a timely manner in
accordance with this guidance may result in findings.
we do not express an opinion, a conclusion, or provide any
assurance on these report components, we read them to identify potential
errors based on our knowledge of the auditee and, where
possible, compare or reconcile the information to the auditee’s records
during the compliance examination. If we identify any potential errors, we
will bring the matter to the attention of the auditee’s
management to ideally either correct the error or
demonstrate why the disclosure is complete and
audits have found that some auditees have inadequate
internal controls to both:
prepare the report components, and
demonstrate the report components prepared by agency
management were complete and accurate.
examinations stress the fundamentals of governmental
accountability, including providing transparency about the auditees’
fiscal and administrative
controls and whether the auditees’ resource utilization was efficient,
effective, and in compliance with applicable law. Failure to prepare
and complete report components hinders the ability of
users of compliance examination reports to obtain
additional analysis of the auditees’ operations.
Guidance on Report Component Preparation
Act 100-0914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to
specifically include Cybersecurity as part of our Compliance Examination program
with an effective date of January 1, 2019.
outlined in the 2020 Audit Advisory, we incorporated a review of Cybersecurity
into the standard compliance examination program and also performed detailed
testing at approximately 20 agencies in both the June 30, 2019 and 2020
examinations. We used the following general criteria in our examinations to
determine if agencies had:
1. Established and documented cybersecurity roles and responsibilities.
Established and communicated policies, procedures, and processes to manage and
monitor the regulatory, legal, environmental, and operational requirements.
Performed a comprehensive risk assessment to identify and ensure adequate
protection of confidential or personal information most susceptible to attack.
Classified data to establish the types of information most susceptible to
attack to ensure adequate protection.
Ensured all employees annually complete cybersecurity training as outlined in
the Data Security on State Computers Act.
Evaluated and implemented appropriate controls to reduce the risk of attack.
identified significant weaknesses at 29 agencies (from reports
released through July 14, 2021) and the table below summarizes our findings. (Please
see PDF version of this Advisory to view the exhibit.) To promote agencies’
responsibility to ensure that confidential information is protected from
accidental or unauthorized disclosure, we generally recommended they ensure
that the six areas identified above are adequately addressed. We will continue
to emphasize the review of cybersecurity programs and practices in future
recent audits have found significant issues related to a lack of census data
reconciliation. Census data is demographic data (such as date of birth, gender,
and years of service) of the active, inactive, or retired members of a pension
plan or OPEB (other postemployment benefits) plan. The plans are responsible
for inactive and retired members. However, employers (State agencies,
universities, etc.) are responsible for submitting accurate census data information
on active employees to the plans.
audits have found that agencies have not performed an initial complete
reconciliation of its census data to establish a base year of complete and accurate
census data. Agencies have also not developed a process to annually obtain
incremental changes from the retirement plans and the Illinois Department of
Central Management Services (CMS) to reconcile those changes back to internal supporting
depend on employer-provided census data reported to the plans being complete
and accurate. Failure to reconcile active members’ census data could result in
each plan’s actuary relying on incomplete or inaccurate census data. This could
lead to misstatements of the agencies’ pension and OPEB amounts.
agencies with financial statements audits, we are in the process of changing
how we approach census data testing. We have engaged with our Special Assistant
Auditors assigned to the plan audits to perform the employer-level census data
testing simultaneously with the plan-level census data testing they were
already performing. This change will result in a new examination opinion (AT-C
§ 205 report) being issued for agencies. The auditors of the relevant plan will
issue the AT-C § 205 report on the accuracy and completeness of an agency’s census
data each year and then this opinion will be used as evidence by the financial
statement auditors assigned to the audit in forming their opinion on the
agencies will be asked by the plans to perform a baseline reconciliation. The
State Retirement System has begun issuing guidance on how the initial
reconciliation will be performed for agencies in their plans (SERS, GARS, &
JRS). Because of the relationship between pension and OPEB census data, the
pension plan reconciliations will be sufficient to cover the reconciliation for
both pension and OPEB. We expect the State Universities Retirement System to
issue guidance on the initial reconciliation to be performed for the
and University Employees are members of one of the State retirement systems
for their pensions and a group insurance program sponsored by CMS for their
Finding Example: The agency did not have a reconciliation process to provide
assurance census data submitted to its pension and OPEB plans was complete and
Our Office has undergone some changes with valued members of our
team retiring and the addition of new members to our management team.
• Margaret Livingston – Maggie is our Chief Legal Counsel
starting with the Office in February 2021. She earned her undergraduate degree
from Haverford College and her law degree at Chicago-Kent College of Law. Prior
to joining the Office, Maggie was Assistant Counsel in the Illinois House of Representatives.
• Sara Metzger – Sara has been with the Office since August
2008 and was recently promoted to Assistant Director of the
Financial/Compliance Division. She was previously the Statewide Financial
Audit Manager and has participated in numerous peer reviews of other states.
Sara is a CPA and CIA, earning her undergraduate degree at Illinois College and
her graduate degree at the University of Illinois Springfield.
• Becky Patton – Becky was the Chief Legal Counsel for more
than 28 years, beginning with the Office in September 1992. She earned her
undergraduate degree and her law degree from the University of Illinois.
Becky’s wealth of knowledge of the law, State government, and the Office itself
were unmatched and will be greatly missed.
• Elvin Lay – Elvin served many years in State government
before coming to the Office in February 2013. He earned his undergraduate
degree at the University of Central Texas and his graduate degree at the
University of Illinois Springfield. Elvin was the Assistant Director of the
Financial/Compliance Division at the time of his retirement.
new Public Acts were passed recently which impact the Office of the Auditor
Act 102-0061 (House Bill 368)
law deals with the Office’s ability to review confidential tax records at the
Illinois Department of Revenue. Prior to the change, State law only allowed payroll
employees of the Office to review confidential income tax records. The change
in law allows the Office to seek approval from the Internal Revenue Service (IRS)
to grant the Office’s contractual employees and audit firms the ability to
review federal tax information. Firms that contract with our Office to perform
audits have the same rigorous procedures to protect confidential information as
the Office. After approval by the IRS, they will now be able to use their own
staff to complete audit procedures, which will enable firms to review audit evidence
supporting their audit opinions, enhance cost effectiveness, and improve
Act 102-0025 (House Bill 1934)
laws impacts annual financial audits performed by the Office of Regional
Offices of Education (ROEs). Prior to the change, ROEs were required to use the
GAAP basis of accounting to prepare financial statements. The change in law now
allows ROEs to utilize a cash basis, modified cash basis, or GAAP basis of
accounting. This change will allow ROEs to prepare financial statements in a
timelier manner which will also result in more timely completion of the annual
Performance Audit Award
In April 2021, the Office was awarded the NSAA Excellence in
Accountability Award for its performance audit of the Illinois Department
of Children and Family Services Investigations of Abuse and Neglect. The audit
was conducted pursuant to House Resolution Number 418 which specifically required
the audit to include a review of abuse and neglect investigations conducted by
the Department in FY15, FY16, and FY17. The report contained a total of 13
recommendations to the Department. Mike Paoni, Assistant Director of the Performance
Audit Division, was the manager of the audit.
Office of the Auditor General
Iles Park Plaza, 740 East Ash Street
Springfield, Illinois 62703-3154
Michael A. Bilandic Building,
160 N. LaSalle Street, Suite S-900
Chicago, Illinois 60601-3109
Fraud Hotline: 1-855-217-1895