REPORT DIGEST
DEPARTMENT OF EMPLOYMENT SECURITY
Financial Audit
For the Year Ended June 30, 2010
Summary of Findings:
Total this audit: 1
Total last audit: 3
Repeated from last audit: 1
Release Date: February 10, 2011
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
____________________________
INTRODUCTION
This report covers our financial audit of the Department of
Employment Security’s Non-Shared Funds for the years ended June 30, 2010. A State compliance examination covering the
two years ended June 30, 2011 will be performed next year.
SYNOPSIS
• The Department did not properly restrict the use of the
Super ID access to its information systems.
• In July 2009 the State of Illinois began receiving
repayable advances from the Federal Government for the Illinois Unemployment
Compensation Trust Fund. At June 30,
2010, this amount totaled approximately $2,239,582,000.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
INADEQUATE CONTROLS OVER COMPUTER SECURITY
The Department of
Employment Security (Department) did not properly restrict the use of the Super
ID access to its information systems.
The Information
Services Bureau (ISB) was responsible for the development and maintenance of
the Department’s information systems and preserving the integrity and security
of information warehoused within those systems.
The Department processed approximately $1.8 billion in employer
unemployment tax revenue contributions and $8.3 billion of unemployment
payments in fiscal year 2010.
As noted in prior
years, the managers of application development had access to the production
environment. This access was granted
through the use of Super IDs, which allowed full access to all production
software and data tables in the production environment. The Department had issued five Super
IDs. Managers allowed their staff to
utilize these accounts by sharing the password.
During the audit
period we found that ISB programmers continued to share and use Super IDs on a
non-emergency basis in the production environment to resolve transactional or
application-related problems. The usage
even increased by 35% compared to approximately the same period last year. As a compensating control, the Support
Services Division Manager compared the system log to an independent log which
documented the use and approval for each instance of access to the production
environment. We tested the independent
log and noted the supporting approval documents.
The frequent use of
the Super IDs increased the risk of unauthorized access to systems and data
which could jeopardize the integrity of the Department’s resources. Programming
staff should generally be limited to accessing only the information
specifically required to complete their assigned system development
projects. (Finding 1, Pages 39-40) This
finding was first reported in 2008.
We recommended that
the Department allocate the resources necessary to correct day-to-day
transactional and applications-related information systems problems, without
compromising the security of those systems by over utilizing Super ID access
rights. Further, we recommended that the use of the Super ID be restricted to
emergency uses as required by Department policy.
Department officials
accepted the recommendation and stated that system and programming changes have
been made that have driven down the number of transactional problems that
resulted in non-emergency Super ID utilization, and they will continue to rely
on existing compensating controls while working to minimize the related
transactional problems. (For the previous Department response, see Digest
footnote #1)
AUDITORS’ OPINIONS
Our auditors stated
the financial statements present fairly, in all material respects, the
financial position of the Non-shared Funds of the Department of Employment
Security as of June 30, 2010, and the changes in financial position and cash
flows, where applicable, thereof for the year then ended.
WILLIAM G. HOLLAND
Auditor General
WGH:TLK:pp
SPECIAL ASSISTANT AUDITORS
E.C. Ortiz & Co., LLP were our special assistant
auditors.
DIGEST FOOTNOTES
#1 –Inadequate Controls Over Computer Security –Previous
Department Response
We accept the recommendation. The Department will examine the resource
implications of implementing the recommendation. Given the record volume of unemployment
claimants in the current environment, the Department may occasionally need to
use extraordinary measures in order to ensure timely service to claimants. In these cases, the Department will continue
to leverage the compensating controls which are in place and currently provide
detailed system access logs.