REPORT DIGEST ENVIRONMENTAL PROTECTION AGENCY FINANCIAL AND COMPLIANCE AUDIT (In accordance with the Single Audit Act and OMB Circular A-133) For the Year Ended: Summary of Findings: Total this audit 4 Total last audit 7 Repeated from last audit 3 Release Date: State of Illinois WILLIAM G. HOLLAND AUDITOR GENERAL To obtain a copy of the Report contact: (217)782-6046 or TDD (217) 524-4646 This Report Digest is also available on |
SYNOPSIS
{Expenditures and Activity Measures are summarized on the reverse page.} |
ENVIRONMENTAL PROTECTION AGENCY
FINANCIAL AND COMPLIANCE AUDIT
For The Year Ended June 30, 1999
EXPENDITURE STATISTICS | FY 1999 |
FY 1998 |
$340,228,757 |
$318,692,986 |
|
OPERATIONS TOTAL % of Total Expenditures |
$179,224,894 52.68% |
$141,968,181 44.55% |
Personal Services |
$35,708,059 |
$35,939,552 |
Other Payroll Costs (FICA, Retirement) |
$9,762,997 |
$8,714,565 |
Contractual Services |
$44,095,900 |
$11,557,326 |
All Other Operations Items |
$89,657,938 |
$85,756,738 |
GRANTS TOTAL |
$161,003,863 |
$176,724,805 |
$29,243,791 |
$31,175,461 |
|
SERVICE EFFORTS AND ACCOMPLISHMENTS | FY 1999 |
FY 1998 |
AIR POLLUTION CONTROL |
|
|
LAND POLLUTION CONTROL |
1 1,935 |
- |
WATER POLLUTION CONTROL |
|
24 |
AGENCY DIRECTOR(S) | ||
During Audit Period: Mary Gade (7/1/98 to 1/18/99)
Thomas V. Skinner (1/19/99 to 6/30/99) |
* Includes re-issuance of storm-water permits on a five-year cycle.
Reviews of administrative support services, purchasing, property, revenue and electronic data processing systems were not completed
No tests or updates to the Disaster Recovery Plan have been made since June 1993
$1,097,609 in installment purchases not recorded
|
FINDINGS, CONCLUSIONS, AND INCOMPLETE AUDITING OF INTERNAL CONTROL SYSTEMS Internal Audit has not completed reviews of five significant internal control systems as required by the Fiscal Control and Internal Auditing Act. (FCIAA) The FCIAA (30 ILCS 10/2003) requires the Agency to perform audits of major systems of internal accounting and administrative control on a periodic basis so that all major accounting systems are reviewed at least once every two years. FCIAA also provides for special audits of operations, procedures and other activities as directed by the chief executive officer. Of the major internal control systems applicable to the Agency, reviews of the administrative support services, purchasing, property, revenue, and electronic data processing systems were not completed. These systems are significant to the operations and functions of the Agency. Incomplete auditing of all major internal control systems increases the risk that significant internal control weaknesses will exist and errors and irregularities may go undetected. (Finding 1, pages 20-22) This finding has been repeated since 1996. We recommended the Agency complete reviews of all major systems of internal accounting and administrative controls at least once every two years as required by the Fiscal Control and Internal Auditing Act. Agency officials disagreed with the list of systems of internal accounting and administrative control which the statutes require to be audited. They stated that they rely on the work of external auditors so as not to duplicate audit effort and feel that they have an effective internal audit program. We do not accept the Agency's position. The requirements of the law are clear. The Agency should comply with the statutory requirement and review all major systems of internal accounting and administrative control at least once every two years. (For the previous Agency responses, see Digest footnote #1.) INADEQUATE COMPUTER DISASTER RECOVERY PLAN The Agency did not have an adequate plan for reacting to disasters. The Agency has approximately $7.6 million of computer equipment located at its facilities throughout the State. The Agency has approximately 1,274 microcomputers connected to local area networks (LANs) that process critical applications. The disaster recovery and contingency plan is dated October 1992. The plan does not include recovery procedures for LANs. No tests or updates of the system have been made since June 1993. An alternative work site has not been agreed on and the names, addresses and phone numbers of essential personnel were not current. A written and tested disaster recovery plan can greatly assist management in coping with service disruptions resulting from fires, floods, storm, power failures or vandalism. (Finding 2, pages 23-24) This finding has been repeated since 1996. We recommended the Agency provide an effective disaster contingency plan for reacting to disasters. Agency officials responded they plan to have a disaster recovery plan by September 1, 2000. (For the previous Agency responses, see Digest footnote #2.) INADEQUATE PROCEDURES FOR PROPERTY AND EQUIPMENT The Agency had inadequate procedures to ensure all property transactions were properly reflected in the property reports, and installment purchase agreements were not properly reported in the permanent property records. One vehicle costing $11,525 had been transferred to surplus but remained on the fixed asset records, and one computer costing $7,100 was disposed of but remained on the property records. Also, the Agency did not properly report all property items acquired under installment purchase agreements. A total of $1,097,609 in installment purchases were not reflected on the permanent property records. In addition, the Agency Quarterly Fixed Asset Reports were not corrected to reflect a prior year posting error totaling $2,997,537 that had been corrected on the Agency permanent property inventory. As a result, the permanent property records have been understated and the Quarterly reports have been overstated. The Agency had not properly reconciled the property records to identify and correct the errors. (Finding 3, page 25) The Agency accepted our recommendations to strengthen controls over property by improving the reconciliation process and implementation of other controls over deletions/dispositions of equipment. OTHER FINDINGS The remaining finding and recommendation is less significant and is being given attention by the Agency. We will review progress towards the implementation of our recommendations during the Agencys next audit. Stuart Gresham, Chief Internal Auditor, provided the responses to our findings and recommendations. AUDITORS OPINION Our auditors state the June 30, 1999 combined financial statements of the Agency are fairly presented.
____________________________________ WILLIAM G. HOLLAND, Auditor General WGH:TEE:pp SPECIAL ASSISTANT AUDITORS Our special assistant auditors were Sikich Gardner & Co, LLP. DIGEST FOOTNOTES #1 INCOMPLETE AUDITING OF INTERNAL CONTROL SYSTEMS Previous Agency Responses 1998: Accepted. We will continue to make the necessary adjustments in audit coverage to ensure that all significant control systems are audited while continuing to provide management with meaningful reviews of program operations. 1996: Accepted. The audit report states that Internal Audits did not perform adequate reviews of the personnel/payroll and property control systems during the two-year audit period. This finding is based on the fact that five audits of control systems were begun but not completed during the audit period. It is not unusual that some internal audits would span external audit periods. The Agency believes that the audits of our personnel/payroll and property control systems, although not completed by the end of the audit period, nevertheless met the requirements of FCIAA. In fact, corrective action had begun in FY96 based on those audits in progress, as problem areas were identified. Such corrective action is reflected, for example, in our response to Finding #6, relative to property control. Although we disagree with this finding with regard to exactly what is required under FCIAA, we will make every effort to comply with the recommendation in the future. #2 INADEQUATE COMPUTER DISASTER RECOVERY PLAN Previous Agency Responses 1998: Accepted. The Agency has been reviewing its use of information technology. As a result of that review, all network servers are being centralized into a single computer room to provide efficiency of operations, automated backup, and adequate physical and network security. With the completion of the centralization process, the disaster recovery process will be restarted and a disaster recovery plan should be completed and tested by December 31, 1999. 1996: Accepted. The Disaster Recovery Plan is being updated and expanded to include LAN-based applications. The updated plan will be tested upon completion and will be reviewed and updated annually.
|