REPORT DIGEST DEPARTMENT OF CENTRAL MANAGEMENT SERVICES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2015 AND COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2015 Release Date: April 21, 2016 FINDINGS THIS AUDIT: 9 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 2 -- 6 -- 8 Category 3: 0 -- 0 -- 0 TOTAL: 3 -- 6 -- 9 FINDINGS LAST AUDIT: 18 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (15-1) The Department failed to report accurate account balances for year-end financial reporting to the Office of the State Comptroller. • (15-2) The Department had not implemented adequate security and controls over the midrange environment. • (15-7) The Department’s surplus of electronic equipment inventory was inadequately controlled. Department recorded all lapse period expenditures as accounts payable at June 30, 2015 without consideration of when goods were received or services rendered. After inquiry by the auditors, the Department prepared and provided an analysis showing accounts payable were likely overstated by $920 thousand. The auditors identified errors in this analysis and the Department provided a revised analysis showing a likely overstatement of $2.134 million. Auditors identified additional transactions totaling $558 thousand which were improperly recorded as payables resulting in a total likely overstatement of $2.692 million. • The Department overstated inventory by $1.290 million as a result of an adjustment to record liabilities for lapse period expenditures. The adjustment was made by fiscal staff improperly increasing the balance of inventory reported by Bureau of Agency Services staff. • The Department overstated unearned revenues related to fiber optic leases by $1.265 million. These errors were primarily due to the inclusion of duplicate billings in the Department’s calculation of unearned revenues. Errors were also caused by incorrect deferral time periods. (Finding 1, pages 12-15). We recommended the Department implement procedures and cross-training measures to ensure required financial information is prepared in a timely, accurate and complete manner. This should include allocating sufficient staff resources and the implementation of formal procedures to ensure adequate and reliable financial information is prepared and submitted to the Office of the State Comptroller. These procedures should address all elements of the Department’s financial reporting process including, but not limited to, accruals for liabilities and receivables, maintenance of capital asset and inventory records, supervisory review of supporting spreadsheets for data accumulation, and the preparation of management estimates. Finally, we recommended the Department establish and document its process for preparing accounting estimates significant to its financial statements. The Department agreed with the finding and stated that they have filled two vacant positions responsible for financial reporting. Additionally, the Department will work toward more comprehensive cross- training and communication among financial reporting staff at the Department and Shared Services. In regards to the overstatement of the rebate receivable, the Department has remedied the situation through a new contract requirement for the vendor to provide the necessary information within 60 days. Finally, the Department has begun an overhaul of its financial reporting procedures to ensure accurate and reliable financial information is prepared and submitted to the Office of the Comptroller. INADEQUATE SECURITY AND CONTROL OVER THE MIDRANGE ENVIRONMENT The Department had not implemented adequate security and controls over the midrange environment. In order to conduct audit work of the midrange environment, the auditors requested a listing of all servers being utilized by the various agencies. The Department provided the auditors three different listings, ranging from approximately 2,100 to 4,800 servers. In addition, the listings lacked detailed information. Due to the lack of complete, detailed and accurate information the auditor’s ability to identify and target high risk servers for detailed testing was inhibited. Although the auditors were unable to ascertain a complete and accurate listing of servers, they reviewed the information provided, noting servers: • With powerful administrator accounts which did not require passwords, • Running unsupported operating systems or service pack versions, • Without anti-virus software, • Not properly backed up, and • With deficient password length, change interval, and content requirements. (Finding 2, pages 16-17) This finding was first reported in 2007. We recommended the Department should ensure complete, accurate and detailed records are available to substantiate its midrange environment. The auditors specifically recommended the Department: (1) develop and implement minimum security standards for the midrange environment; (2) ensure all administrative accounts meet password and security standards; (3) standardize password length and content requirements and ensure all user accounts require a password; (4) update servers to current vendor recommended patch or service pack levels; (5) ensure all servers are running antivirus software; and (6) ensure all servers are routinely backed up. Department officials concurred with our recommendation and stated that they have implemented numerous policies, standards, tools and procedures to help address these issues. Additionally policy and security standardization will be accomplished in several ways: (1) as a part of the creation of the Illinois Department of Innovation and Technology, all agencies will be required to conform to state-wide policies and standards; (2) several aging applications that require special configurations and policy exceptions will be migrated to newer platforms, like the Enterprise Resource Planning or Software as a Service; (3) a requirement to use new service offerings, like Office 365, Azure, WebEx and Jabber, will only be offered to customers in the Illinois.gov domain. Over the past year progress has been made to remediate identified issues, including retiring end of support operating systems, lack of or outdated anti-virus and missed system backups. Accounts with administrative privileges have been reviewed, and adjusted where operationally feasible, but due to the dependency on agency applications, some of those accounts cannot be changed; furthering the necessity to move agency servers, applications and data to a standardized and common environment. (For the previous Department response, see Digest Footnote #1) INADEQUATE CONTROLS OVER ELECTRONIC SURPLUS PROPERTY The Department had not established adequate controls over the surplus of electronic equipment inventory. During our review of surplus electronic inventory: • We inquired with the Department regarding their process for ensuring the wiping of data drives. The Department stated they did not wipe the hard drives of the laptops or PCs. Instead they relied on the recycling vendors to wipe the drives; however, the required written certification was not requested or obtained from the vendor. Although contracts with the recycling vendors included requirements for the wiping certification, the provision was not enforced by the Department. • Surplus electronic equipment was not offered to State agencies or to municipalities and units of local government, rather equipment was shipped directly to recycling vendors. • The Department’s property rules required agencies to adjust their property records within 30 days of acquisition, change or deletions of equipment items. However, the Department or vendor did not routinely provide certification of receipt of equipment within the 30 day timeline. As a result, the Department and other agencies were not able to adjust property records within the timeline. (Finding 7, pages 26-28). We recommended the Department implement adequate controls over all aspects of property. The Department should ensure computer equipment is timely wiped of data. In addition, the Department should enforce contract terms and ensure written certifications are completed and retained. The Department should implement a process to review the condition of equipment prior to being sent to the recycling vendor. All usable equipment should be obtained by the Department, offered to other State agencies or local units or sold, with the proceeds being deposited in the applicable fund. The Department should ensure agencies receive the signed and verified CMS Surplus Property Delivery Form within 30 days to properly document equipment record changes as outlined in the Department’s Property Control Rules. The Department concurred with the recommendation. However, the Department is responsible for electronic equipment for consolidated agencies. • The Department will review and update the CMS State Surplus Electronic Receiving and Processing Procedure as needed. Hard drives are destroyed by the vendor, and, in late FY15, they began requiring the certification be provided to the Department. • For consolidated agencies, electronic equipment is determined by the BCCS End User group to be redeployed or recycled. Most recycled equipment goes directly to the recycling vendor under a State use contract. For surplus equipment, it is maintained in the warehouse for 30 days prior to being put onto iBid, the Department’s website to sell State surplus property. During the 30 days at the warehouse, the equipment is available to municipalities and other units of local government. The Department will continue to work on improving this process. • Surplus electronic equipment received at the warehouse to be processed by recycling vendors typically waits in queue several months before the electronics can be sent and certified as destroyed. As a result, certification of receipt by recyclers may not be received by the Department within the 30 day timeframe. Surplus property has adjusted procedures to account for this discrepancy. Additionally, the Department will request a change to 5010.400 of the JCAR rules to exempt EDP equipment from the 30 day time period currently required for all property. OTHER FINDINGS The remaining findings pertain to 1) Inadequate Controls over Property and Equipment, 2) Failure to conduct yearly performance appraisals, 3) Inadequate monitoring of interagency agreements, 4) Inadequate software licensing monitoring, 5) Lack of monitoring and enforcement of security policies, and 6) Weaknesses with Payment Card Industry Data Security Standard. We will review progress toward implementing all recommendations in the next compliance examination. AUDITOR’S OPINION Our auditors state the financial statements of the Department of Central Management Services as of June 30, 2015, and for the year then ended are fairly presented in all material respects. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department of Central Management Services for the two years ended June 30, 2015, as required by the Illinois State Auditing Act. The auditors qualified their report on State Compliance for finding 2015-001. Except for the noncompliance described in this finding, the auditors state the Department complied, in all material respects, with the requirements described in the report. FRANK J. MAUTINO Auditor General FJM:SKM SPECIAL ASSISTANT AUDITORS Our Special Assistant Auditors for this audit were Sikich, LLP. DIGEST FOOTNOTES #1 – Inadequate Security and Control over the Midrange Environment 2014: Due to the reasons stated in the cause, many of the issues still remain. The Department has corrected what is in its power to correct. Password standards have been developed, and exceptions documented. Operating systems that could be upgraded have been. Current anti-virus has been installed where possible, and the latest possible version of anti-virus has been installed on older operating systems that will not allow current versions to be installed. Backup processes have been implemented to verify all servers are backed up on a regular basis, and any exceptions have been documented. Some administrative rights have been reviewed, and adjusted, but due to the variety and age of the operating systems in place, no single tool is available to report against all systems. This makes it difficult and resource intensive to report across all servers. It is the Department’s goal to move all agencies to the new Illinois.gov domain. This would provide a current, vendor supported environment for all agencies, and ensure compliance. However, due to the fact that existing legacy applications are based on the older legacy security systems, migration to the Illinois.gov environment has been slow. It should be noted that it costs agencies time and resources to migrate the legacy applications to the new environment, and they have not made this a priority. Additionally, the Department has not been provided authority to force agencies to migrate to the new environment since it would have a negative impact on their allocated budgets.