REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES FINANCIAL AUDIT For the Year Ended: June 30, 2012 Release Date: February 28, 2013 Summary of Findings: Total this audit: 2 Total last audit: 2 Repeated from last audit: 2 State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This report covers our financial audit of the Department of Central Management Services for the year ended June 30, 2012. A State compliance examination covering the two years ended June 30, 2013 will be performed next year. SYNOPSIS • The Department’s year-end financial reporting to the Office of the State Comptroller contained significant errors. • The Department had not implemented effective security controls over all servers in the midrange environment. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NEED FOR IMPROVEMENT OVER FINANCIAL REPORTING The Department’s year-end financial reporting in accordance with generally accepted accounting principles (GAAP) to the Illinois Office of the State Comptroller contained significant errors in the determination of certain year-end account balances and note disclosures. During the audit of the June 30, 2012 financial statements, the auditors noted material weaknesses and significant deficiencies resulting from the Department’s failure to establish adequate internal control over the accumulation of information necessary for the proper reporting of financial information as follows: • The Department is responsible for recording a liability for workers’ compensation claims for injuries incurred before year-end that are probable of resulting in an award, including pension-type or lifetime awards. The Department made mathematical errors in the calculation of the total estimated liability for pension-type awards resulting in an overstatement of the liability of $16,859,181. In addition, the Department did not use the correct life expectancy table, used inaccurate data for the calculation and was unable to provide documentation supporting the date of death for a deceased beneficiary. These additional errors resulted in an understatement of the liability of $1,873,181. In total, the liability was overstated by $14,986,000. Furthermore, the Department continues to estimate the liability using historical information rather than an actuarially calculated liability based on projected outcomes based on facts and circumstances inherent in the individual claims and by applying a consistent and supported assessment of those individual claims which may result in an overstatement or understatement of the liability. • The Department obtained legal title to the Thomson Correctional Center from the Illinois Department of Corrections in August 2010, but failed to report the asset on their financial statements. Department officials stated the oversight was the result of unexpected delays in the sale of the facility and a misapplication of surplus property rules based on a negotiated operating agreement with DOC. The Department’s June 30, 2012 financial statements have been adjusted to report the $100 million facility. • The Department did not perform an adequate review of amounts due from other State agencies that were outstanding for more than one year in determining the allowance for doubtful accounts. The Department reported a net reduction of balances due from other State agencies totaling $3,085,822. Of this, the Department has represented only $825,471 relates to disputes over amounts previously billed. The remainder of the allowance is comprised of virtually all prior year unpaid balances from other State agencies. The Department has not adequately supported that these balances are uncollectible. • We noted 18 State agencies with net overpayments in excess of $1,000 from prior year receivables totaling $860,769. In addition, we noted 3 local government entities with overpayments in excess of $1,000 from prior year receivables totaling $7,833 and numerous other overpayments of less than $1,000. These net overpayments have been included in the allowance for doubtful accounts, resulting in an understatement of receivables at June 30, 2012 of $868,602. • The Department did not perform an adequate review of lapse period transactions. As a result, the Department overstated accounts payable totaling $6,953,000. The overstatements included improperly reporting a voucher processed in July to remit money to the Deferred Compensation plan as a liability, resulting in the overstatement of accounts payable of $1,694,000. In addition, the Department reported liabilities for goods received after June 30, 2012 of $5,259,000. • The auditors also noted several other errors in the preparation of the Department’s financial statements. The errors included improperly calculating the amount reported as “invested in capital assets, net of related debt” and errors in the calculation of the current year lease payments and the future minimum lease payments in the operating leases footnote. The errors noted were not individually significant to the financial statements taken as a whole; however, the Department did not have effective controls over the reconciliation and review functions to ensure amounts were properly reported at June 30, 2012. (Finding 1, pages 52-54) This finding was first reported in 2007. We recommended the Department implement procedures to ensure GAAP Reporting Packages prepared and submitted to the Office of the State Comptroller for financial reporting purposes are complete and accurate. Department officials concurred with our recommendation and stated that they are continually assessing the financial reporting process and implementing procedures to improve upon accuracy. (For the previous Department response, see Digest Footnote #1) INADEQUATE SECURITY AND CONTROL OVER THE MIDRANGE ENVIRONMENT The Department had not implemented adequate security and controls over the midrange environment. Although the Department had implemented standards to secure and control the midrange environment, the standards did not require widespread deployment to legacy systems. As such, the Department still had not implemented effective security controls over all servers in the midrange environment. Upon review, auditors noted standards had not been consistently applied on all servers. Specifically, we noted servers: • Running unsupported operating systems or service pack versions, • Without anti-virus software, • Not properly backed up, • With deficient password length and content requirements, and • With administrative and user accounts which did not require passwords. Additionally, auditors noted the Department had not conducted a comprehensive review of individuals with administrative rights to the environment, to ensure appropriateness. (Finding 2, pages 55-56) This finding was first reported in 2007. We recommended the Department should ensure the standards to secure and control the environment are implemented across the midrange environment. The auditors specifically recommended the Department: (1) standardize password length and content requirements and ensure all accounts require a password; (2) update servers to current vendor recommended patch or service pack levels; (3) ensure all servers are running antivirus software; (4) ensure all servers are routinely backed up; and (5) conduct a comprehensive review of individuals with administrative rights to ensure appropriateness. Department officials concurred with our recommendation and stated that they will continue to strive toward standardization and maturity in the midrange environment. (For the previous Department response, see Digest Footnote #2) AUDITORS’ OPINION Our auditors stated the Department’s financial statements as of and for the year ended June 30, 2012 are fairly presented in all material respects. WILLIAM G. HOLLAND Auditor General WGH:TLD:rt SPECIAL ASSISTANT AUDITORS Sikich, LLP were our special assistant auditors. DIGEST FOOTNOTES #1 –Need for Improvement Over Financial Reporting – Previous Department Response The Department agrees with the recommendations. Except for the finding related to the Workers’ Compensation calculation, the items detailed above were not material to the Department statements or the statewide statements. An adjustment was posted to the financial statements for the additional Workers’ Compensation liability. The Department plans to contract with an actuary for assistance with future Workers’ Compensation liability calculations. In addition, CMS financial staff will examine actual liability figures and compare them with the CMS estimates ($24 million) and auditors’ estimates ($93 million). Based on these comparisons and improved data collection, we will consider any additional historical and current period injury related variables that affect the accuracy of the estimating methodology and make the necessary improvements to enhance accuracy. The Department continues to cross train and encourage communication and awareness among fiscal and Shared Service Center accounting staff regarding fiscal transactions and the related financial statement treatment. Increased review of financial reports and in particular lapse period transactions continues to be a major focus of the Department. The Department is also working with the Shared Services center on documenting the internal GAAP process. In terms of commodities inventory, it is Department practice to only purchase commodities sufficient to meet short-term needs. We do not stockpile commodities. We agree to document a policy outlining our commodities purchasing practices. #2 –Inadequate Security and Control Over the Midrange Environment – Previous Department Response The Department concurs and will continue to strive toward standardization and maturity in the midrange environment. The Department has implemented numerous policies, standards, processes, procedures and tools to help address these issues. Due to the size and nature of the disparate environment, many of the legacy agency environments do not fully meet the standards, but we are working to improve these environments and working with the agencies to update applications where needed. Implementing these changes is very time and resource consuming in such a large and diverse environment.