REPORT DIGEST

DEPARTMENT OF HUMAN SERVICES

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2022

Release Date:  August 15, 2023

FINDINGS THIS AUDIT: 8

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  2 -- 5 -- 7
Category 2:  0 -- 1 -- 1
Category 3:  0 -- 0 -- 0
TOTAL:  2 -- 6 -- 8

FINDINGS LAST AUDIT: 10

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov


SYNOPSIS

• (22-01)  The Department does not have
sufficient internal control over
accounting for grant transactions
resulting in material misstatements to
the draft financial statements.

• (22-02) The Department does not have
an adequate understanding of the
suitability of the design of internal
control or the operating effectiveness
of internal control in place over all
data recorded in its financial
statements for transactions initiated
by other State agencies and recorded in
the Department’s financial statements.
• (22-05) The Departments (HFS and DHS)
had weaknesses in the general
information technology (IT) controls
over the Integrated Eligibility System
(IES).

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INADEQUATE INTERNAL CONTROLS OVER
ACCOUNTING FOR FEDERAL AWARDS

The Department of Human Services
(Department) does not have sufficient
internal control over accounting for
grant transactions resulting in
material misstatements to the draft
financial statements.

For financial reporting purposes, the
Department (Fiscal Services) tracks
grant data for purposes of accruing
grant receivables, unearned revenue,
unavailable revenue and payable
balances, all of which impact Federal
Operating Grant Revenue, using Office
of Comptroller required SCO forms
including SCO-563 Grant /Contract
Analysis, SCO-567, Interfund Transfers
– Grantee Agency, and SCO-568 Interfund
Transactions – Grantor Agency.

In preparing the SCO Forms, the
Department made errors in reporting
expenditure amounts, including
expenditure adjustments, and cash
receipts, including lapse period
receipts, for its federal award
programs, resulting in errors in the
financial statements for grant
transactions.  Additionally, based on
audit procedures performed, the SCO
Forms required multiple revisions
through February 24, 2023. Some of the
most significant errors are as follows:

• Included in the errors was an
adjustment for $41.9 million in the
General Revenue Fund (0001).  In March
2023, the Department communicated to
auditors that there were qualifying
expenditures incurred for a new grant
award (10% enhanced match federal award
for certain expenditures for home and
community-based services (HCBS)), that
had not been recorded as expenditures,
receivables or revenues in the SCO
Forms or in the original draft
financial statements.  Included in a
letter provided by CMS (Centers for
Medicare & Medicaid Services) dated May
13, 2021 and addressed to State
Medicaid Directors (which includes
HFS), was an award for additional
funding which was based on an increased
Federal rate applied to HCBS for a
specified period of time. This award is
required to be used for providing
enhanced HCBS and is considered to be
an expenditure-driven grant. Based on
the award requirements communicated,
the Department incurred $41.9 million
in qualifying expenditures for enhanced
HCBS during fiscal year 2022.  As of
March 31, 2023, this earned amount had
not been provided to the Department by
HFS.  HFS considers the amount received
from the Federal government through
their right of offset with other
Medicaid related over-draws.

Further, during the audit it was noted
that General Revenue Fund expenditures
for the Social Services Block Grant
(SSBG) ALN 93.667 were overstated in
fiscal year 2020 by $29.6 million,
resulting in a balance remaining in Due
from Other Governments – Federal and
Unavailable Revenue.  The balances for
Due from Other Governments – Federal,
and Unavailable Revenue were written
off in fiscal year 2022.  The resulting
adjustment in governmental activities
was reported as a reduction to fiscal
year 2022 Federal Operating Grant
Revenue.  As a result of the entry
recorded, Federal Operating Grant
Revenue in the General Fund was
understated and opening net position
was overstated in Governmental
Activities.

• In the Community Developmental
Disabilities Services Medicaid Trust
Fund (0142), the Department recognized
all cash deposited into the fund by HFS
as revenue. However, receipts exceeded
qualifying expenditures incurred which
resulted in an overstatement of Federal
Operating Grant Revenue, and an
understatement of Unearned Revenue of
$23.6 million.

• A transfer of COVID-19 related grant
funding between two funds - State
C.U.R.E. Fund (0324) and DHS State
Projects Fund (0642) was not accounted
for correctly resulting in a $20
million understatement of cash in the
DHS State Projects Fund (0642), which
was not detected and corrected during
the Department's bank reconciliation
process.  Interfund balances between
the two funds were understated by the
same amount due to the lack of
qualifying expenditures in Fund 0642.

• Expenditures and receipts between
three Childcare Program assistance
listing numbers (ALNs) for the
Employment and Training Fund (0347)
were misstated which led to
overstatements of Unearned Revenue
($257.8 million), Due from Other
Governments – Federal ($189.3 million)
and Unavailable Revenue ($181.0
million). Federal Operating Grant
Revenue was understated $249.5 million.

Further, two of the errors noted in the
finding were brought to the attention
of auditors’ months after the end of
the fiscal year, and after four
previous financial statement drafts had
been provided.  Specifically, as noted
in item 1 of this finding, auditors
were provided information in March 2023
about additional HCBS receivables which
management should have been aware of
since the start of the fiscal year when
it was communicated by Federal CMS.
Additionally, with regards to one of
the uncorrected misstatements, the
under reporting of DD program
expenditures for Medicaid funded and
waiver programs was not communicated to
auditors until June 2023, despite
management becoming aware of the issue
in November 2022. (Finding 1, pages
78-83)

We recommended the Department
strengthen its internal control over
preparing the SCO Forms by including a
reconciliation of Federal grant
receipts and expenditures by ALN
included in each SCO Form to the
general ledger for each fund (the ERP
System). Deposits of federal draws
should be recorded in the fund(s) that
incurred the associated expenditures.
Once prepared, balances reported in the
SCO forms should be compared to the
draft financial statements, by fund, to
conclude if amounts are reasonable.
Additionally, large balances in Due
from Other Governments – Federal,
Unearned Revenue and Unavailable
Revenue should be investigated as they
are unusual for reimbursement type
grant awards in which the Department
can generally draw funds monthly upon
the incurrence of qualifying
expenditures.

Additionally, we recommended Department
management promptly disclose known
events, conditions, and transactions of
the Department which could impact
either an ongoing audit or previously
released audit performed by the Office
of the Auditor General, even if the
full ramifications of the matter are
not yet known.

The Department accepted the
recommendation and stated it will
include a reconciliation of federal
grant receipts and expenditures to the
general ledger in the ERP for all ALN’s
included on each SCO563.  Balances
reported on the SCO563’s will also be
compared to the corresponding funds in
the draft financial statements. Any
large balances on the SCO563 related to
Due from the Federal Government,
Unearned Revenue and Unavailable
Revenue will also be researched and the
underlying reasons noted.  The
Department will promptly disclose any
known events, conditions or
transactions that could affect current
or previously issued audits performed
by the Office of the Auditor General,
in the event, that such concerns are
identified.

MEDICAL ASSISTANCE PROGRAM FINANCIAL
INFORMATION

The Department of Human Services
(Department) does not have an adequate
understanding of the suitability of the
design of internal control or the
operating effectiveness of internal
control in place over all data recorded
in its financial statements for
transactions initiated by other State
agencies and recorded in the
Department’s financial statements.

During our testing of the financial
statements, we noted the following:

• The Department could not provide
documentation of the preparation or the
Department's review of expenditure
reconciliations for Federal Medical
Assistance Program (MAP) funds or the
State Children's Health Insurance
Program  (CHIP) (Funds 0120,  0142,
0211, 0365, 0502, 0509, 0718) between
amounts reported in the Department's
general ledger system (ERP) and amounts
reported in the Grant/Contract Analysis
Forms (Form SCO-563s) provided to the
Office of Comptroller (IOC) which
support the receivable and revenue
calculation for financial reporting.
The amount per the Form SCO-563s
(totaling approximately $364 million
for total reimbursable costs "TRC" for
Assistance Listing Numbers (ALN) 93.767
and 93.778), is a computed amount (a
formula), essentially the amount needed
to achieve the reported receivable
balance provided by the Department of
Healthcare and Family Services (HFS), a
separate State agency, or a maximum
amount for funds which have a statutory
deposit limit.  The Department does not
retain a reconciliation between what is
reported on the Form SCO-563s
(claimable expenditures) and within ERP
(all expenditures) for each fund which
identifies which expenditures were used
for claiming the federal award.
Additionally, there is no documentation
maintained by the Department to support
the calculation and methodology used by
HFS in preparing the net federal
receivable amount (approximately $739
thousand for the two ALNs).

• During testing of expenditures and
liabilities, we determined that the
Department is not monitoring or
reviewing the payments submitted by
HFS, or the liabilities calculated by
HFS, on behalf of the Department and
reported in the Department's financial
statements.  When HFS submits a request
for payment to the IOC, a summary file
is also sent to the Department which
goes through an interface and is
recorded into ERP.  An employee in the
Department's Office of Fiscal Services
reconciles the payments between ERP and
the IOC before accepting them into ERP.
Although, the Department has documented
their understanding of how transactions
for DHS programs are processed within
HFS, the Department was not able to
provide auditors with documentation of
their monitoring performed over the
amounts reported in the Department's
financial statements.

• Additionally, the Department is
placing reliance on the internal
control over the applicable HFS system
without recent independent verification
of the system. Currently, the
Department receives summarized
information from HFS and records the
transactions into ERP and the SCO-563
forms without performing sufficient
procedures to determine the accuracy of
the information. (Finding 2, pages
84-86)

We recommended the Department assume
more responsibility for the
transactions and balances reported in
its financial statements that are
initiated/estimated by other State
agencies, including the following:
entering into an interagency agreement
(IA) with HFS that details the
responsibilities of each agency with
regards to initiating, processing and
recording transactions, and how the
sufficiency of internal control over
Department transactions will be
monitored (i.e. annual internal audit,
SOC 1 Type 2 audit, or other), and,
once an IA is executed, on a regular
basis, the Department should determine
if the control system and related
monitoring agreed to through the IA, is
sufficient to prevent and detect
significant financial statement errors.
The sufficiency of internal control
should be monitored each time there is
a major change to MAP/CHIP programs or
IT systems used for those programs. We
also recommended expenditure and
accrual amounts provided by HFS in
connection with year-end reporting of
Federal MAP receivables should be
reconciled to ERP or agreed to reports
and source data compiled by HFS.

The Department accepted the
recommendation and stated it   will
pursue an interagency agreement with
HFS, monitor audits and reviews
performed on HFS data and internal
controls, and research ways to
reconcile Federal MAP receivable data
provided by HFS to DHS data contained
in the ERP.

INADEQUATE GENERAL INFORMATION
TECHNOLOGY (IT) CONTROLS OVER IES

The Department of Healthcare and Family
Services and the Department of Human
Services (collectively, the
“Departments”) had weaknesses in the
general information technology (IT)
controls over the Integrated
Eligibility Systems (IES).

Management of the Departments have a
shared responsibility for various human
service programs in the State and for
internal controls over the manual and
automated processes relating to
eligibility for these programs.  The
Departments’ IES is the automated
system used by the Departments to
intake, process (with the assistance of
caseworkers), and approve assistance
applications, maintenance items, and
redeterminations of eligibility as well
as to make payments for the State’s
human service programs.

In addition to the conditions noted
below, related IES issues over the lack
of a detailed interagency agreement are
noted in Finding 2022-006, and issues
over disaster recovery controls are
noted in Finding 2022-004.

Environment

The IES application and data reside on
the Department of Innovation and
Technology (DoIT) environment.  In this
regard, DoIT is a service provider (SP)
to the Department.

During the Departments’ internal
security review, completed as part of
its Plan of Actions and Milestones
(2022) report to the U.S. Department of
Health and Human Services, Centers for
Medicare and Medicaid Services (Federal
CMS), significant threats over DoIT’s
general IT environment, which hosts
IES, were identified.

Further, during our fieldwork it was
noted the Departments experienced two
security breaches related to the IES
system; the first breach occurred in
August 2022, and the second breach was
discovered in March 2023.  Information
about both breaches is disclosed in the
notes to the financial statements as
subsequent events.

Change Control

IES Application Changes - Policies and
Procedures

The Departments indicated there were no
updates to the change control policies
and procedures during fiscal year 2022.
Our review of the April 20, 2020 IES
Change Management Plan (Plan) noted the
Plan did not:
• Define the requirements for the
prioritization or classification of
changes,
• Define the numerical grading for
determining impact,
• Define the detailed documentation
requirements for test scripts and
results, impact analysis, design
documentation, or other required
documentation, and
• Define when changes were required to
include a specific requirement, who was
to review the various steps and when
and by whom approvals were required.

Additionally, we noted backout plans to
return the system to a previous
functional version in the event a
change moved into production caused
undesired results had not been prepared
for individual infrastructure changes.

User Access
IES User Access Policies and Procedures
The Departments indicated there were no
updates to IES user access policies and
procedures during fiscal year 2022.
During our testing of the Departments’
access provisioning policies, we noted
the policies did not define the time-
period in which the Departments were
required to disable a terminated
individual’s system access. Also, there
was no systemic record of the date when
the access was removed, or a
management-defined definition of
timeliness.  Therefore, we were unable
to determine whether user access was
removed timely when a user was
transferred or terminated. (Finding 5,
pages 91-94)

We recommended management of both
Departments work together to strengthen
controls over the IES environment by
addressing all significant threats
identified in the Plan of Actions and
Milestones (2022) report to the U.S.
Department of Health and Human
Services, Centers for Medicare and
Medicaid Services, strengthen controls
in the IES Change Management Plan by
including the items noted above, and
enhance internal control over IES user
access by adopting a formal written
policy or procedure which includes a
definition of "timely" for disabling an
individual's access to the IES system,
and a process for tracking whether
access was revoked timely based on the
definition.

DHS accepted the recommendation and
stated it will work with DoIT to
resolve outstanding Plan of Action and
Milestones (POAM) as expeditiously as
possible and to develop a system change
backout process for infrastructure
changes. DHS also stated it has updated
its IES Change Management policy and
procedures to ensure it meets auditor
recommendations. In FY23, DHS stated it
published additional details on its
OneNet regarding the review and
timeline for termination of IES access
by the Regional Systems Monitors. Also,
DHS and HFS are currently working with
DoIT and the service provider to
implement a solution in the IES
application, which will provide for
tracking of user access provisioning
and termination.

OTHER FINDINGS

The remaining findings pertain to other
accounts receivable misstatements,
inadequate disaster recovery controls
over the IES, lack of finalized IES
detailed agreement between DHS, HFS and
DoIT, insufficient review and
documentation of IMPACT provider
enrollment determinations and failure
to timely execute interagency
agreement, and inadequate general
information technology controls over
IMPACT. We will review the Department’s
progress towards the implementation of
our recommendations in our next
financial audit.

AUDITOR’S OPINION

The auditors stated the financial
statements of the Department of Human
Services as of and for the year ended
June 30, 2022 are fairly stated in all
material respects.

This financial audit was performed by
RSM US LLP.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:jv