REPORT DIGEST

DEPARTMENT OF NATURAL RESOURCES

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2022

Release Date:  July 6, 2023

FINDINGS THIS AUDIT: 37

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  2 -- 8 -- 10
Category 2:  8 -- 19 -- 27
Category 3:  0 -- 0 -- 0
TOTAL:  10 – 27 -- 37

FINDINGS LAST AUDIT: 30

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION
Because of the significance and
pervasiveness of the findings described
within the report, we expressed an
adverse opinion on the Department of
Natural Resources’ (Department)
compliance with the specified
requirements which comprise a State
compliance examination.  The
Codification of Statements on Standards
for Attestation Engagements (AT-C §
205.74) states a practitioner “should
express an adverse opinion when the
practitioner, having obtained
sufficient appropriate evidence,
concludes the misstatements,
individually or in the aggregate, are
both material and pervasive to the
subject matter.”

Further, this digest covers our
Compliance Examination of the
Department for the two years ended June
30, 2022.  A separate Financial Audit
of the Department’s Capital Assets for
the year ended June 30, 2022 was
previously released on February 2,
2023.  In total, this report contains
37 findings, none of them were reported
in the Financial Audit.

SYNOPSIS

• (22-01) The Department did not
exercise adequate internal controls
over its reporting and maintenance of
accounts receivable.
• (22-02) The Department did not have
adequate controls over historical
artifacts.
• (22-03) The Department did not have
adequate controls over preparation of
monthly reconciliations.
• (22-14) The Department failed to
implement adequate controls over its
service providers.
• (22-15) The Department had weaknesses
over computer security.
• (22-19) The Department failed to
monitor and enforce concessionaire
lease agreements regarding   rental and
reserve payments.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INADEQUATE CONTROLS OVER ACCOUNTS
RECEIVABLE

The Department did not exercise
adequate internal controls over its
reporting and maintenance of accounts
receivable.    We performed detailed
testing of accounts receivable
including the Quarterly Summary of
Accounts Receivable – Accounts
Receivable Activity (Form C-97) and
Quarterly Summary of Accounts
Receivable – Aging of Total Gross
Receivables (Form C-98).  During our
testing, we noted the following
weaknesses:

• The Department did not maintain a
detailed accounts receivable subsidiary
ledger to support the quarterly
accounts receivable additions reported
on the Form C-97s. Rather, the
Department took the amount collected
during the quarter, subtracted the
beginning quarterly receivable balance,
and added the ending quarterly gross
receivable balance to calculate the
accounts receivable additions for the
quarter.

• During the compilation of Forms C-97
and C-98, the Department did not review
and verify the accuracy of accounts
receivable reported by the Department’s
in-charge of each fund.

• The Department was unable to provide
support for accounts written-off,
totaling $22,000, and transferred out,
totaling $5,000, for Funds 040, 137,
and 261 during Fiscal Year 2021.

• For Fund 039, the Department was
unable to provide support for amounts
reported on the Form C-98 for the
fourth quarter of Fiscal Years 2021 and
2022. The unsupported amounts noted
were for the categories of “1-30 days”,
“31-90 days”, “91-180 days”, “181-1
year” and “Over 1 year” and ranged from
$88 to $3,322.

• The Department did not report
accounts receivable balances “due over
one year” as uncollectibles on the Form
C-97 for Funds 040, 041, and 261 for
the fourth quarter of Fiscal Years 2021
and 2022. The Department’s accounts
receivable balances “due over one year”
for Funds 040, 041 and 261 ranged from
$33,941 to $2,493,050.

• The Department did not make
sufficient attempts to either collect
its aged accounts receivable or write
off uncollectible accounts receivable
greater than one year old.  As of June
30, 2022, outstanding receivables aged
more than a year totaled $2,085,128,
$2,493,050, $123,374, and $202,398 for
Funds 137, 261, 884, and 962,
respectively.

• One of 19 (5%) receivables selected
for detailed testing, totaling $53, did
not agree with the supporting
documents. Specifically, the accounts
receivable balance was overstated by
$25 when compared to the supporting
documents.

• For one of 19 (5%) receivables
selected for detailed testing, totaling
$43, the Department could not provide
support for the receivable.

• The Department was the lessor in
several real property rental agreements
but did not track the timing of the
rental payment due dates against
related receipts to determine if
receivables should be recorded and
reported to the Office of Comptroller
on its Fund 538 Form C-97.  Total real
property rental receipts reported by
the Department for Fund 538 were
$112,755 and $224,626 in Fiscal Year
2021 and Fiscal Year 2022,
respectively.  Potential receivable
amounts could not be determined.
(Finding 1, pages 14-18).  This finding
has been reported since 2014.

We recommended the Department implement
the necessary internal controls to
ensure accounts receivable are
adequately supported and are
consistently and accurately reported to
the Office of Comptroller.  Also, we
recommended the Department ensure
accounts receivable are timely pursued
for collection and, if not collectible,
submitted for uncollectible
certification and subsequently written
off.  Lastly, we recommended the
Department review rental transactions
to determine the amount of receivable
to be reported quarterly and at the end
of the year.

Department officials agreed with our
recommendation and stated they would
implement the necessary internal
controls to ensure accounts receivable
are consistently and accurately
reported to the Office of Comptroller.
Department officials also stated they
have increased collection efforts and
would review rental transactions within
Fund 538 to determine the amount of
receivable to be reported quarterly and
at the end of the year.

INADEQUATE CONTROLS OVER HISTORICAL
ARTIFACTS

The Department did not have adequate
controls over historical artifacts.

The Department did not maintain a
central inventory of its historical
artifacts. Each historical site
maintained their own inventory listing
and there was not an independent review
of items added to or removed from the
listing maintained by each site. Also,
physical inventory counts were
performed by the custodians of the
artifacts, not by independent persons.

Due to the deficiencies noted above, we
were unable to conclude the
Department’s population records of
historical artifacts were sufficiently
precise and complete under the
Attestation Standards promulgated by
the American Institute of Certified
Public Accountants (AT-C § 205.36) to
test the Department’s compliance
relative to historical artifacts.

Even given the population limitations
noted above which hindered our ability
to conclude whether the records were
complete and accurate, we requested the
Department provide the population of
historical artifacts for three
historical sites and noted the
following:

During our physical inspection of 30
historical artifacts:
• Three (10%) artifacts were found in a
location different from the location
indicated in the artifacts listing.

• Seven (23%) artifacts could not be
located.

• One (3%) artifact’s ID number did not
correspond to the ID number listed on
the artifact.

During our tracing of 30 historical
artifacts to the Department records:
• One (3%) artifact was not tagged with
an artifact ID number, therefore, the
item could not be traced to the
artifact listing.

• Five (17%) artifacts could not be
traced to the artifacts listing.
(Finding 2, pages 19-20).  This finding
has been reported since 2018.

We recommended the Department maintain
a central inventory listing of
historical artifacts and implement
internal controls requiring additions
and deletions to the artifacts catalog
be independently reviewed and approved.
We also recommended the Department
ensure the inventory of all historical
artifacts is performed and/or reviewed
by independent personnel.  Further, we
recommended the Department strengthen
its internal controls to ensure records
are accurately maintained and artifacts
are properly accounted for.

Department officials agreed with our
recommendation and stated they have
established a collections committee for
reviewing the acquisition/removal of
artifacts. Department officials also
stated they would continue to work
towards obtaining an independent review
of the inventory of historical
artifacts, but lack of manpower was
hampering their efforts to comply with
independent reviews.

INADEQUATE CONTROLS OVER PREPARATION OF
MONTHLY RECONCILIATIONS

The Department did not have adequate
controls over preparation of monthly
reconciliation of its significant
accounts and transactions with the
Office of Comptroller’s (Comptroller)
records.

During our testing, we noted the
Department did not perform monthly
reconciliations. Specifically, the
Department did not reconcile its
internal records with the following
Comptroller’s reports during Fiscal
Years 2021 and 2022:

• Revenue Status Report (SB04);

• Cash Report (SB05);

• Appropriations Status Report (SB01)
including lapse periods;

• Appropriation Transfer Report (SB03);
and

• Agency Contract Report (SC14) or
Obligation Activity Report (SC15).
(Finding 3, pages 21-22).  This finding
has been reported since 2016.

We recommended the Department ensure
monthly reconciliation of its activity
are performed, documented, and
reviewed.

Department officials agreed with our
recommendation and stated they would
strive to ensure all required
reconciliations of activities are
performed, documented and reviewed on a
timely basis.

INADEQUATE CONTROLS OVER SERVICE
PROVIDERS

The Department failed to implement
adequate controls over its service
providers.

We requested the Department provide the
population of service providers
utilized in order to determine if they
had reviewed the internal controls over
their service providers. However, the
Department did not provide a
population.

Although the Department did not provide
a listing of service providers, during
our testing we noted a service provider
which provided software as a service.
We requested the Department provide the
service provider’s contract and System
and Organization Controls (SOC) report.
However, the Department did not provide
the requested documentation. As a
result, we were unable to conduct
testing to determine if the Department
had implemented controls over their
service providers. (Finding 14, pages
47-48)

We recommended the Department work with
DoIT to obtain a detailed understanding
of each entity’s responsibilities
regarding the Department’s service
providers.  In addition, we recommended
the Department implement control to
determine their population of service
providers.  Further, we recommended the
Department:
• obtain SOC reports and document their
review.
• monitor and document the operation of
CUECs related to the Department’s
operations.
• either obtain and review SOC reports
for subservice organizations or perform
alternative procedures to satisfy
itself that the existence of the
subservice organization would not
impact its internal control
environment.
• document the review of the SOC
reports and all significant issues with
subservice organizations to ascertain
if a corrective action plan exists and
when it will be implemented, any impact
to the Department, and any compensating
controls.

Department officials agreed with our
recommendation and stated they would
work with DoIT to obtain a detailed
understanding of each party’s
responsibilities regarding service
providers.


WEAKNESSES OVER COMPUTER SECURITY

The Department had weaknesses over
computer security.

During testing, we noted the
Department:

• did not have a formal access
provisioning policy.

• did not timely remove separated
employees’ user access rights.  We
noted four of 277 (1%) separated
employees continued to have access to
an application subsequent to their
separation from the Department.
Further, we noted the Department did
not evaluate whether the separated
employees accessed the application.

• could not provide a list of users for
two of five (40%) applications selected
for testing.

• did not ensure laptops were encrypted
to protect data at rest.  During
testing of 40 laptops, we noted one
laptop (3%) did not have encryption
installed and 18 (45%) laptops could
not be located for physical inspection,
therefore, we could not determine if
these laptops were encrypted.

• had not maintained adequate control
over lost or missing computer equipment
items.  Twelve electronic data
processing equipment items were
reported as lost and missing during the
Department’s inventory and two laptops
were removed from the Department
records because they were missing.
However, the Department did not
determine if any confidential
information was stored on these
electronic data processing systems.
(Finding 15, pages 49-50)

We recommended the Department establish
and implement a formal access policy,
ensure timely deactivation of separated
users’ access, maintain a list of users
for each applications, ensure computer
equipment devices that store and
process confidential and sensitive
information are encrypted, and conduct
an assessment to determine if lost or
stolen laptops contained confidential
or personal information and ensure
compliance with the Personal
Information Protection Act.

Department officials agreed with our
recommendation and stated they would
establish and implement a formal access
policy, ensure timely deactivation of
separated users’ access and maintain a
list of users of each application.


FAILURE TO ENFORCE CONCESSIONAIRE LEASE
AGREEMENTS

The Department failed to monitor and
enforce concessionaire lease agreements
regarding rental and reserve payments.

During the examination period, the
Department had concession and lease
agreements with approximately 81
concessionaires located at State parks
throughout the State.  The Department’s
concession coordinators are responsible
for negotiating and enforcing lease
terms, overseeing the site, approving
rates charged, and collecting rental
payments.  These concession and lease
agreements are being monitored by the
Department using an agreement tracking
database.  The Department received
rental fees from concessionaires
totaling $696,271 and $649,906 during
Fiscal Years 2021 and 2022,
respectively.

• During our testing of 59 rental
payments from eight concession and
lease agreements, we noted three (5%)
rental payments were not timely
remitted to the Department, ranging
from 15 to 30 days late.

• During our testing of 48 reserve
account monthly remittances for the
four largest concessionaires/lessees
measured in terms of rental payments
and/or deposits, we noted one (2%)
concessionaires’ reserve deposit slips
were submitted 18 days late to the
Department.

During our testing of compliance with
the reporting requirements of the
concession agreements for the four
largest concessionaires/lessees
measured in terms of rental payments
and/or deposits, we noted the
following:

• Seven of 34 (21%) required reports
consisting of balance sheet, income
(profit and loss) statement, schedule
of gross revenue, annual cash flow
analysis, and reconciliations of the
schedule of gross revenues with
lessee’s revenue reports were not
timely submitted to the Department,
ranging from three to 110 days late.

• Seven of 34 (21%) required reports
consisting of annual forecast of
operating revenues and expenses, budget
of capital expenditures, summary of
concession's marketing plan and annual
analysis could not be located. As a
result, we were unable to determine if
the related reports were timely
submitted to the Department.

• One of 42 (2%) required reports
consisting of a profit and loss
statement was not date stamped upon
receipt by the Department.  As a
result, we were unable to determine if
the report was timely submitted to the
Department. (Finding 19, pages 58-60).
This findings has been reported since
2006.

We recommended the Department monitor
concessionaires to enforce its
contractual agreements and send
concessionaires formal written
communication when they fail to comply
with their contractual obligations to
the Department.

Department officials agreed with our
recommendation and stated they would
send concessionaires formal written
communication when they fail to comply
with their contractual obligations.


OTHER FINDINGS

The remaining findings pertain to (1)
inadequate controls over World Shooting
and Recreational Complex operations,
contractual agreements and obligations,
voucher processing, census data, system
development and change management,
payroll and long-term leave of
absences, receipts, overtime,
performance evaluations,
telecommunications, agency inventory
reports, investment of public funds,
fuel reconciliations, vehicles, and
bank reconciliations; (2) lack of
contingency planning or testing to
ensure recovery of computer systems;
(3) weaknesses with payment card
industry data security standards; (4)
weaknesses in cybersecurity programs
and practices; (5) internal audit
deficiencies; (6) noncompliance with
mandated duties, non-game wildlife
protection act, Illinois State Historic
Resources Preservation Act, and
Historical Sites Listing Act; (7)
failure to fully utilize the State’s
Enterprise Resource Planning system,
update the policy and procedures
manual, issue off-highway vehicle usage
stamps, comply with the Department of
Natural resources Act, and review and
update a comprehensive energy plan; (8)
inadequate administration and
monitoring of State awards and grants;
and (9) property control and petty cash
weaknesses.  We will review the
Department’s progress towards the
implementation of our recommendations
in our next compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Department for the
two years ended June 30, 2022, as
required by the Illinois State Auditing
Act.  Because of the effect of the
noncompliance described in Finding
2022-001 through Finding 2022-037, the
accountants stated the Department did
not materially comply with the
specified requirements described in the
report.

This compliance examination was
conducted by Roth & Co., LLP.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:vrb