FINDINGS,
CONCLUSIONS, AND
RECOMMENDATIONS
INADEQUATE REVIEW OF EMPLOYEE TRAVEL VOUCHERS
The Agency's procedures over the review and approval
of travel expenditures were not sufficient to ensure that
travel expense reimbursements were in compliance with the
Travel Regulations. We noted the following:
Agency employees claimed per diems ranging from $35
per day to $114 per day for out-of-country travel based
on published federal rates. These rates exceeded the
maximum allowable per diems established in the State
Travel Regulations. State Regulations do not provide
rates for meal per diems specifically for out-of-country
travel. We could find no documentation that Agency
employees requested exceptions to the maximum allowable
rates, for travel "outside the State of
Illinois" prior to the travel.
Employees were reimbursed for incorrect per diem or
meal allowances. In some instances, errors by employees
in the preparation of their travel vouchers resulted in
underpayment of allowable per diems. In other instances,
travel vouchers included claims for full per diems when
only partial per diems were allowable. We also found
out-of-state per diems were claimed for in-state travel
and per diems were not reduced when meals were provided
by the conference sponsors.
An employee reported the use of only half of a round
trip airplane ticket that had been direct billed and paid
by the Agency. The employee stated he lost the return
trip ticket but did not report the loss to the Agency so
that a refund could be requested. The Agency did not
match the employee's travel voucher to the direct bill
invoice voucher. As a result, the Agency paid for a
ticket that was not used. The Travel Regulations require
the reporting of direct billed expenses on travel
vouchers.
At least 6 unused, valid airline tickets remained
attached to travel vouchers. In all instances, the
tickets had been charged to the Agency's credit card.
After discovery during the audit, the tickets were
returned to the travel agent for credit.
Travel vouchers did not always include the purpose of
travel as required. On some vouchers the purpose stated
on the travel voucher did not agree with the supporting
documentation. (Finding 1, page 9)
We recommended the Agency establish effective controls
over travel and require more effective review and
approval of travel vouchers prior to reimbursement. We
also recommended the Agency collect any overpayments
previously made to staff.
The Agency responded that it accepted our
recommendation and described specific steps it would take
to improve its controls over travel expenses.
INADEQUATE PROCEDURES TO ENSURE PROPERTY RECORDS
WERE COMPLETE AND ACCURATE
The Agency had inadequate procedures to ensure all
property transactions were properly reflected in the
property reports, and the reports were not filed on a
timely basis.
A total of 80 equipment items were tested to verify
the item was at the location noted in the property
listing. Eleven items costing $6,364 could not be
located, and seven items costing $8,416 were found at a
location other than the location noted in the property
listing. These eighteen items were various pieces of
office furniture and office equipment.
A total of 25 equipment items were tested to verify
that removal of the item from the property listing was
adequately supported by documentation. Three items
costing $13,598 were deleted from the property listing
without supporting documentation.
The deficiencies noted above were the result of
inadequate enforcement of State Property Act provisions
and CUSAS procedures. The lack of adequate internal
controls has resulted in misstatements in the Agency's
property records. Also, inaccurate recordkeeping
increases the risk that equipment could be lost or stolen
due to lack of accountability. As of June 30, 1996 and
1995, the Agency had equipment totaling $24,964,403 and
$24,980,008, respectively. (Finding 5, page 17)
We recommended the Agency strengthen controls over
property as required by the State Property Control Act by
improving the reconciliation process, ensuring quarterly
reports are prepared on a timely basis, developing
adequate procedures for the transfer of equipment to
ensure proper reporting of its location and implementing
other controls over deletions/dispositions of equipment.
The Agency responded that it accepted our
recommendation and noted that a work group has been
formed to develop improved procedures and controls over
IEPA property. The Agency further noted most of the
group's recommendations have already been implemented.
COMPUTER SECURITY DEFICIENCIES
The Agency had not effectively or consistently secured
all of its computer systems.
A review of the Agency's computer security
adminis-tration procedures revealed the following
significant weaknesses:
- Agency-wide security policies and procedures had
not been followed and/or established to ensure
that all data was effectively secured.
- Minicomputer security features were not
adequately utilized. Users were not required to
change their passwords on the system. In general,
Agency personnel were not very familiar with many
of the security features available on the
minicomputer.
- Some security options to protect the Agency's
local area networks (LANs) were not used
effectively, and the security options used were
not consistently applied across all of the
Agency's LANs.
- A formal security awareness program for users
addressing computer security did not exist.
- Several users had improper access to critical
data on the mainframe.
These weaknesses can result in unauthorized access and
misuse of the Agency's information systems. (Finding 9,
page 22)
We recommended the Agency formally issue its Data
Security Standards and Procedures Manual, and perform a
detailed review of its existing minicomputer's security
features and implement changes necessary to comply with
Agency security policies for other systems. We also
recommended that a formal on-going computer security
awareness program should be developed, and that the
Agency's utilization of mainframe security software
should be reviewed and revised as needed to ensure users
have appropriate access capabilities to Agency
information.
The Agency responded that it accepted and partially
implemented our recommendations. The Agency also stated
that it has either taken or will take the following
corrective actions:
- The Agency has published a Security Procedures
Manual which establishes uniform standards for
security options on all servers within the
Agency.
- Security on the minicomputers has been reviewed.
- A formal Security Awareness Program has been
developed and presentation will begin by April 1,
1997.
- All specific access problems identified in the
audit have been rectified.
OTHER FINDINGS
The remaining findings and recommendations are less
significant and have been given attention by the Agency.
We will review progress towards the implementation of our
recommendations during the Agency's next audit.
The responses to our findings and recommendations were
provided by Mary Gade, Director.
AUDITORS' OPINION
Our auditors state the June 30, 1996 and June 30, 1995
combined financial statements of the Agency are fairly
presented.
____________________________________
WILLIAM G. HOLLAND, Auditor General
WGH:JTD:pp
SPECIAL ASSISTANT AUDITORS
Our special assistant auditors were Sikich Gardner
& Co, LLP.
|
