DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
For the Year Ended: June 30, 2010
Summary of Findings:
Total this audit: 3
Total last audit: 5
Repeated from last audit: 3
Release Date: April 7, 2011
State of Illinois, Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov
This report covers our financial audit of the Department of Central Management Services for the year ended June 30, 2010. A State compliance examination covering the two years ended June 30, 2011 will be performed next year.
• The Department’s year-end financial reporting to the Office of the State Comptroller contained significant errors.
• The Department did not institute or implement comprehensive standards to effectively secure and control the midrange computer environment.
FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS
WEAKNESSES IN INTERNAL CONTROL OVER FINANCIAL REPORTING
The Department’s year-end financial reporting in accordance with generally accepted accounting principles (GAAP) to the Office of the State Comptroller contained significant errors in the determination of certain year-end account balances and note disclosures.
During the audit of the June 30, 2010 financial statements and testing of workers’ compensation liability and automobile liability information, the auditors noted material weaknesses and significant deficiencies resulting from the Department’s failure to establish adequate internal control over the accumulation of information necessary for the proper determination of year-end liabilities as follows:
• During the auditor’s testing of the workers’ compensation liability, the auditors noted an error in the calculation resulting in an understatement of $17.790 million in the General Revenue Fund and $4.447 million in the Road Fund. The fiscal year 2010 financial statements have been adjusted to correct the $22.237 million overstatements.
• During the auditor’s testing of the workers’ compensation liability, the auditors noted the Department did not have a formal evaluation or estimation process for claims (injuries having occurred prior to year-end) which were pending or were considered to be in the process of being awarded. The Department calculated the workers’ compensation liability for pension-type awards based primarily on awards which have been settled as of the fiscal year end or very soon thereafter. Governmental accounting requires the Department to determine whether it is probable, reasonably possible, or remote that a liability has been incurred as of the date of the financial statements. If the Department determines it is probable that a liability has occurred and an amount can be reasonably estimated, such amount should be accrued as of the financial statement date. The Department’s financial statements were subsequently adjusted to include additional workers’ compensation liabilities of $33.363 million in the General Fund and $8.341 million in the Road Fund, representing an estimate of the total liability based on historical averages. While the auditors do believe the financial statements are fairly stated at June 30, 2010, the methodology does not necessarily result in a reasonable estimate of the liability due to the wide range of potential settlement outcomes. The estimate would be more accurate if calculated based on projected outcomes based on the facts and circumstances inherent in the individual claims. At June 30, 2010 the Department reported a total of 226 unsettled claims of which a portion are likely to result in a pension-type award.
• The Department is responsible for reporting liabilities arising from accidents involving State employees. While testing large (>$25,000) Automobile Liability reserves at June 30, 2010, the auditors noted large claim payments that were classified as routine and improperly included in the calculation of the contingent liability for routine claims resulting in an overstatement of the auto liability for routine claims of approximately $10,000.
• During testing, the auditors noted several other errors in the preparation of the Department’s internal service fund financial statements. The errors included improperly calculating the amount reported as “invested in capital assets, net of related debt,” overstating accounts payable, and errors in the calculation of the future minimum lease payments in the operating leases footnote. The errors noted were not individually significant to the financial statements taken as a whole; however, the Department did not have effective controls over the reconciliation and review functions to ensure amounts were properly reported at June 30, 2010. (Finding 1, pages 48-51 of the Financial Report) This finding was first reported in 2007.
We recommended the Department implement procedures to ensure GAAP Reporting Packages are prepared in a complete and accurate manner and information provided to other agencies and the Office of the State Comptroller for financial reporting purposes is complete and accurate. Additionally, we recommended the Department evaluate pending workers’ compensation claims on a case-by-case basis to ensure the calculation of the year-end liability is accurate and representative of the probable loss to be incurred on such outstanding claims.
Department officials concurred with our recommendation and stated that they have addressed each of the control recommendations. (For the previous Department response, see Digest Footnote #1)
INADEQUATE SECURITY AND CONTROL OVER THE MIDRANGE ENVIRONMENT
The Department did not institute or implement comprehensive standards to effectively secure and control the midrange environment.
Although it has been five years since the consolidation, the auditors continue to note inadequate security over the midrange environment. Specifically, during the auditor’s review, the auditors noted:
• Comprehensive standards to effectively secure and control the midrange environment had not been implemented across the midrange environment.
• Password length and content requirements were lacking.
• Some administrative and user accounts did not require passwords.
• Servers were not updated with the current vendor recommended patch or service pack levels. (Finding 2, pages 52-53 of the Financial Report) This finding was first reported in 2007.
We recommended the Department institute and implement comprehensive standards to effectively secure and control the midrange environment for itself and consolidated agency systems. In addition, we recommended the Department formally communicate with consolidated agencies to determine their specific security requirements, and develop and implement guidelines that outline both the agencies' and the Department's responsibilities and provide a means for consolidated agencies to verify that security and integrity controls in the midrange environment are suitable and meet specific application requirements.
The auditors specifically recommended the Department: (1) standardize password length and content requirements and ensure all accounts require a password and (2) update servers to current vendor recommended patch or service pack levels.
Department officials concurred with our recommendation and stated that they will continue to strive toward standardization and maturity in the midrange environment to improve security. (For the previous Department response, see Digest Footnote #2)
The remaining finding is reportedly being given attention by the Department. We will review the Department’s progress toward the implementation of all our recommendations in our next engagement.
Our auditors stated the Department’s financial statements as of and for the year ended June 30, 2010 are fairly presented in all material respects.
WILLIAM G. HOLLAND
SPECIAL ASSISTANT AUDITORS
Sikich, LLP were our special assistant auditors.
#1 –Weaknesses in Internal Control Over Financial Reporting –Previous Department Response
The Department concurs. The Workers Compensation liability calculation was revised in the current year to include full liability for lifetime awards. The new calculation contained a duplicate line creating an overstatement of the liability. The Department provided a revised liability calculation and required adjustments to the Office of the Comptroller. A revised liability calculation template is in place for next fiscal years. The Department is implementing an end-of-year review process for auto liability claims which will reduce the chance for error in estimating claim liabilities. All financial reports will be more closely reviewed before transmission to the Office of the Comptroller so that adjustments are correct and amounts are recognized in the appropriate fiscal year for financial reporting.
#2 –Inadequate Security and Control Over the Midrange Environment – Previous Department Response
The Department concurs and will continue to strive toward standardization and maturity in the midrange environment. In order to provide immediate benefit of physical environment control, DCMS relocated the non-standard server platforms into its data center which led to the need to support multiple, non-standard environments. Many of the underlying causes are a result of the decision to relocate servers prior to consolidation. The current Architectural Review Board, Service Engineering Unit, and I.T. Governance process will continue efforts to implement standards, establish appropriate documentation and guidelines, and communicate with agencies. The recent purchase and installation of a comprehensive compliance monitoring product will help control users with security administration authority; identify users that should be deactivated for non-use, and help DCMS track server patch and service pack levels. As staff resources and budgets permit, the Department plans to schedule an enterprise assessment of its security controls.