REPORT DIGEST

DEPARTMENT ON AGING

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2024

Release Date:  August 5, 2025

FINDINGS THIS AUDIT: 19

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  3 -- 10 -- 13
Category 2:  0 -- 6 -- 6
Category 3:  0 -- 0 -- 0
TOTAL:  3 -- 16 -- 19

FINDINGS LAST AUDIT: 27

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (24-04) The Department did not comply with
notification requirements of the Adult
Protective Services Act.
• (24-05) The Department failed to maintain
adequate controls over personal services.
• (24-10) The Department did not maintain
adequate internal controls over users'
access to its applications and data.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

NONCOMPLIANCE WITH THE ADULT PROTECTIVE
SERVICES ACT

The Department on Aging (Department) did not
comply with notification requirements of the
Adult Protective Services Act (Act).

During testing, we noted for two of 60 (3%)
case investigations on abuse, abandonment,
neglect, or financial exploitation of an
eligible adult, the Department could not
provide evidence of the Department having
notified the eligible adult, or an eligible
adult's guardian or agent, cared for by the
caregiver, of the occurrence, that his or
her caregiver's name may be placed on the
Adult Protective Service Registry (Registry)
based on a verified and substantiated
finding of abuse, abandonment, neglect, or
financial exploitation of an eligible adult
(Finding 4, pages 19-20).

We recommended the Department either comply
with notification requirements of the Act
itself, or it should implement internal
controls to adequately monitor the Adult
Protective Services providers to ensure the
notification requirements of the Act are
met.

Department management partially concurred
with this finding stating the Department has
a robust monitoring, quality assurance and
educational initiatives in place as controls
to ensure compliance with this requirement.
Additionally the Department stated, aside
from the fact it is the provider versus the
Department that provides the notice to an
individual the Department respectfully
submits that one instance should not rise to
the level considered for material non-
compliance.

In an accountant’s comment, we stated while
we acknowledge the Department's monitoring,
quality assurance, and education initiatives
designed to support compliance, this
requirement serves as a critical safeguard
for vulnerable individuals and is
fundamental to the integrity of the program;
therefore, even two instances of
noncompliance is significant and warrants a
material classification.

INADEQUATE CONTROLS OVER PERSONAL SERVICES

The Department failed to maintain adequate
controls over personal services.

For our testing of personal services, the
Department provided a population of active,
newly hired, and terminated employees.
However, we were unable to determine the
completeness and accuracy of the listing
provided in order to obtain reasonable
assurance on the reported hire and
separation effective dates of employees in
order to properly test compliance.

Despite these limitations, we selected a
sample of employees to review personnel
files, performance evaluations, payroll
vouchers, time sheets, leave requests,
accrued leave balances, overtime cards, and
training certificates. Our testing
identified the following:
• One of 23 (4%) employees tested did not
have Form I-9 in their personnel files. As a
result, we were unable to verify whether the
Department had examined the employee’s
identity and employment authorization.
• Four of 23 (17%) employees’ performance
evaluations were not completed during Fiscal
Year 2024.
• Five of 23 (22%) employees had time sheets
that were not approved in a timely manner,
with delays ranging from 2 to 28 days.
• One of 23 (4%) employees tested did not
complete the 2022 annual ethics training on
time, with a delay of 8 days.
• Three of 23 (13%) employees tested did not
complete the 2022 annual harassment and
discrimination prevention training on time,
with delays ranging from 3 to 8 days.
• One of 23 (4%) employees tested completed
the 2022 annual combined Identity Protection
Act and security awareness training six days
late.
• Ten of 45 (22%) overtime transactions
lacked documentation of prior supervisory
approval (Finding 5, pages 21-24). This
finding has been reported since 2012.

We recommended the Department maintain
complete and accurate employee listings,
retain and properly complete the Form I-9s,
complete performance evaluations at least
annually, timely approve timesheets, timely
complete the mandated training programs, and
ensure that all overtime transactions
receive prior supervisory approval and are
supported by appropriate documentation.

The Department agreed with this finding.
Please see the full State Compliance
Examination Report for further details of
the Department’s response.

INADEQUATE CONTROLS OF ACCESS TO
APPLICATIONS AND DATA

The Department did not maintain adequate
internal controls over users' access to its
applications and data.

During testing of eight applications to
determine whether an annual review of user
access was completed for each fiscal year
tested, we noted the following:
• The Department did not conduct an annual
review of users' access rights during Fiscal
Year 2023 for five (63%) applications.
• The Department was not able to provide
supporting documentation evidencing review
of users' access rights during Fiscal Year
2023 was performed for three (37%)
applications (Finding 10, pages 36-37).

We recommended the Department conduct and
document periodic reviews of users of its
systems to ensure access is appropriate.

Management indicated that the Department
concurs with this finding, and the
Department conducted a comprehensive
examination of users' access rights for all
applications, servers, and Resource Access
Control Facility (RACF) Mainframe IDs and
terminated access rights for users that no
longer required access. Management
additionally noted this review process will
continue as an ongoing security practice.

OTHER FINDINGS

The remaining findings pertain to fiscal and
administrative responsibilities, statutory
mandates, and information technology
controls. We will review the Department’s
progress towards the implementation of our
recommendations in our next State compliance
examination.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the Department for the two
years ended June 30, 2024, as required by
the Illinois State Auditing Act.  The
accountants qualified their report on State
compliance for Findings 2024-001, 2024-002,
and 2024-004 through 2024-014.  Except for
the noncompliance described in these
findings, the accountants stated the
Department complied, in all material
respects, with the requirements described in
the report.

This State compliance examination was
conducted by Maharlika PLLC.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:EGB