REPORT DIGEST
DEPARTMENT OF FINANCIAL AND PROFESSIONAL
REGULATION

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2020

Release Date:  May 11, 2021

FINDINGS THIS AUDIT:  14

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 1 -- 1
Category 2:  8 -- 5 -- 13
Category 3:  0 -- 0 -- 0
TOTAL:  8 -- 6 -- 14

FINDINGS LAST AUDIT: 14

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (20-001) The Illinois Department of
Financial and Professional Regulation
(Department) failed to adhere to
provisions of the Fiscal Control and
Internal Auditing Act (Act).
• (20-005) The Department did not timely
complete employee performance
evaluations.
• (20-013) The Department did not
maintain adequate internal controls
related to its cybersecurity programs and
practices.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INADEQUATE INTERNAL AUDIT FUNCTION

The Illinois Department of Financial and
Professional Regulation (Department)
failed to adhere to provisions of the
Fiscal Control and Internal Auditing Act
(Act).

During testing, we noted the following:

• The Department’s Secretary has not
appointed an individual to fill the
Department’s chief internal auditor
position. This position was vacated on
July 1, 2016, 1,460 days prior to the end
of the examination period on June 30,
2020.

• The Department and CMS did not obtain
the Governor’s approval for CMS to
provide professional internal auditing
services to the Department.

• While  testing  the  Expenses  and
Support  Cost  section  of  the
intergovernmental agreement, effective
April 1, 2018, between the Department and
CMS, we requested the Department provide
us with sufficient and appropriate audit
evidence related to costs of the
Department’s internal audit function from
July 1, 2018, through June 30, 2020.  We
requested the documentation to
substantiate (1) the authorization of CMS
to use the Department’s appropriation for
processing payroll as allowed for under
the intergovernmental agreement, and (2)
CMS only charged the Department for
payroll services  of  CMS  internal
auditors  who  provided  internal  audit
functions  to  the Department.  The
Department was unable to provide us with
the documentation requested.
Specifically, we noted the following:

– In response to our requests, Department
management indicated CMS does not bill
the Department for its internal audit
services and related assistance. The
Department’s specific costs for its
professional internal audit services are
not being tracked. As a result, we were
unable to audit the cost of the
Department’s internal audit function to
ensure the Department is accurately
reimbursing CMS payroll costs as
stipulated by the intergovernmental
agreement.

– Also, the Department granted CMS
authorization through its
intergovernmental agreement to charge the
Department’s appropriations for payroll
costs associated with CMS’ rendering of
professional internal audit services to
the Department; however, as indicated by
the Department in its response to our
requests, it is not the Department’s nor
CMS’ intent to process any vouchers
against the Department’s appropriations.
As a result, we believe there is a
significant internal control risk with
potentially delegating a State’s
appropriation authority unnecessarily.
Although this did not occur during the
examination period, there is still a
potential risk that exists due to the
intergovernmental agreement not being
modified. (Finding 1, pages 13-16)

We recommended:

• The Department’s Secretary appoint a
chief internal auditor and ensure a full-
time program of internal auditing is in
place and functioning at the Department.

• If another agency is to be relied upon
to supplement internal audit functions at
the Department, the Department should
obtain written approval of the Governor
for these services  and  ensure  such
services  are  provided  in  accordance
with  the  Act’s requirements.

• The  Department  implement  policies
and  procedures  to  track  internal
audit  costs, maintain documentation
which adequately documents the costs of
the Department’s internal audit function,
and ensure other agencies providing
services to the Department are only
reimbursed for allowable costs.

• Finally,  the  Department  should  not
grant  another  agency  the  authority
to  process payroll    against    the
Department’s    appropriations
unnecessarily    or    without
implementing and documenting proper
controls.

Department management accepted our
recommendation and stated the Department
intends to continue its search for a
Chief Internal Auditor. Department
management also stated that since working
with the Department of Central Management
Services, the Department has conducted
annual Department-wide risk assessments,
approved annual audit plans, received
annual reports detailing the performance
by the internal audit team, and
conducted/filed internal control
checklists timely.

EMPLOYEE PERFORMANCE EVALUATIONS NOT
TIMELY COMPLETED

The Department of Financial and
Professional Regulation (Department) did
not timely complete employee performance
evaluations.

During our testing of 40 employee
personnel files, we noted evaluations
were not performed on a timely basis for
32 (80% employees tested.  The
evaluations were performed from 1 to 404
days late.  (Finding 5, page 23)  This
finding has been repeated since 1993.

We recommended the Department evaluate
its procedures for monitoring performance
evaluations to ensure completion on a
timely basis.

Department management accepted our
recommendation.

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Department of Financial and
Professional Regulation (Department) did
not maintain adequate internal controls
related to its cybersecurity programs and
practices.

During our examination of the
Department’s cybersecurity programs and
practices, we noted the Department had
not:

• Ensured cybersecurity roles and
responsibilities were documented.
• Developed a formal, documented project
management framework to ensure new
applications are implemented to meet
management’s intentions.
• Performed a comprehensive risk
assessment to identify and ensure
adequate protection of information (i.e.
confidential or personal information)
most susceptible to attack.
• Classified its data to identify and
ensure adequate protection of
information.
• Evaluated and implemented appropriate
controls to reduce the risk of attack.
• Developed a formal, comprehensive,
adequate, and communicated security
program (policies, procedures, and
processes) to manage and monitor the
regulatory, legal, environmental and
operational requirements.

The Department has the responsibility to
ensure confidential and personal
information is adequately protected.
Specifically, we recommend the
Department:

• Establish and communicate the
Department’s security program (formal and
comprehensive policies, procedures, and
processes) to manage and monitor the
regulatory, legal, environmental, and
operational requirements;
• Develop a formal, documented project
management framework to ensure new
applications are implemented to meet
management’s intentions;
• Classify its data to identify and
ensure adequate protections of
information;
• Evaluate and implement appropriate
controls to reduce the risk of attack;
• Ensure cybersecurity roles and
responsibilities are clearly defined;
and,
• Perform a comprehensive risk assessment
to identify and ensure adequate
protection of information, including
confidential and personal information,
most susceptible to attack.

Department management accepted our
recommendation.

OTHER FINDINGS

The Department had other findings
pertaining to understaffed Boards,
compliance with the Savings Bank Act,
Agency Workforce Reports, inaccurate lump
sum payments, failure to perform timely
reconciliations, weaknesses in internal
controls over travel, deficiencies in
management of returned checks, user
access reviews, review of service
providers, weaknesses in change
management, and weaknesses over ERP
implementation.  We will review the
Department’s progress towards the
implementation of our recommendations in
our next compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Department for the two
years ended June 30, 2020, as required by
the Illinois State Auditing Act.  The
accountants qualified their report on
State compliance for Finding 2020-001.
Except for the noncompliance described in
this finding, the accountants stated the
Agency complied, in all material
respects, with the requirements described
in the report.

This compliance examination was conducted
by Sikich LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:mrk