REPORT DIGEST HUMAN RIGHTS COMMISSION Compliance Examination For the Two Years Ended June 30, 2015 Release Date: January 28, 2016 FINDINGS THIS AUDIT: 7 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 4 -- 3 -- 7 Category 3: 0 -- 0 -- 0 TOTAL: 4 -- 3 -- 7 FINDINGS LAST AUDIT: 7 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (15-01) The Commission did not publish its decisions as required. • (15-02) The Commission failed to maintain adequate controls over recording and reporting of its State property. • (15-03) The Commission had inadequate controls over system access and inadequate segregation of duties. • (15-04) The Commission had not performed a risk assessment of its computing resources to identify confidential or personal information to ensure such information was protected from unauthorized disclosure. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS DECISIONS WERE NOT PUBLISHED The Illinois Human Rights Commission (Commission) did not publish its decisions as required. We tested 40 decisions issued during the examination period and noted they were not published. We further noted no decisions were posted to the Commission’s website during Fiscal Years 2014 and 2015. (Finding 1, page 9) This finding has been repeated since 2007. We recommended the Commission comply with the Illinois Human Rights Act and publish all of its decisions within 120 calendar days. Commission officials agreed with the recommendation and stated the condition was a result of inadequate staffing. (For previous Commission response, see digest footnote #1.) NEED TO IMPROVE CONTROLS OVER STATE PROPERTY AND REPORTING The Commission did not maintain adequate controls over recording and reporting of its State property. We noted the following: • Five of 40 (13%) equipment items selected for testing from the property listing, totaling $947, were unable to be located. • Three of 40 (8%) equipment items observed and selected for testing could not be traced to the Commission’s property listing. • Two of 40 (5%) equipment items selected for testing were not properly tagged. (Finding 2, page 10) We recommended the Commission ensure property records are properly maintained and all State property is properly tagged and inventoried. Commission officials partially agreed with the recommendations and stated it was a result of items not tagged by the Department of Central Management Services after completion of repairs. INADEQUATE CONTROLS OVER SYSTEM ACCESS AND SEGREGATION OF DUTIES The Commission did not have adequate controls over system access and had an inadequate segregation of duties. The Commission utilized the Bureau of Communications and Computer Services (BCCS) Common Systems Accounting Information System (AIS), Central Payroll System (CPS), and the Central Time and Attendance System (CTAS). During testing we noted two employees had all levels of authority in AIS. Both employees could enter and modify voucher payment data, had override authority and also had agency head approval for vouchers sent to the Office of the Comptroller. In addition, one employee had all levels of authority in CPS and CTAS. The employee could enter salary and timekeeping data or changes, had agency head approval for vouchers and maintained the accounting records and the personnel files. In addition, the employee appeared to permit another employee to enter information in CPS either by signing in for them or sharing the user identifications and passwords. This employee also had agency head approval for vouchers. (Finding 3, pages 11-12) We recommended the Commission segregate the duties of accounting, approval, and custody of records as much as possible and ensure employees have appropriate levels of authority and signature approvals. In addition, we recommended the Commission work with the Department of Central Management Services to ensure each authorized individual has an individual user identification and password for each applicable application. Commission officials partially agreed with the recommendations and stated the conditions noted were the result of the unavailability of staff in a small agency with very limited resources. NEED TO IMPROVE CONTROLS OVER THE SECURITY AND CONTROL OF CONFIDENTIAL INFORMATION The Commission had not performed a risk assessment of its computing resources to identify confidential or personal information to ensure such information was protected from unauthorized disclosure. During the review of the Commission, the following weaknesses were noted in regards to the security and control of confidential information. The Commission had not: • Performed a risk assessment of the Commission’s computer resources. • Performed its due diligence to ensure Commission data was secure or properly disposed. • Developed formalized breach of security procedures. (Finding 4, pages 13-14) We recommended the Commission perform a comprehensive risk assessment to identify all forms of confidential or personal information and ensure adequate security controls, including adequate physical and logical access restrictions, have been established to safeguard data and resources; perform its due diligence and review controls to ensure its data is sufficiently secure and properly disposed; and develop policies and procedures to ensure timely compliance with the requirements outlined in the Personal Information Protection Act, in the event of a breach of confidential information. Commission officials partially agreed with our recommendations and stated they do not have separate IT staff for this purpose and the Department of Central Management Services is their lead agency. OTHER FINDINGS The remaining findings pertain to inadequate controls over contractual services, inadequate controls over voucher processing, and failure to comply with the Illinois Human Rights Act. We will review the Commission’s progress toward implementation of our recommendations in our next examination. ACCOUNTANT’S OPINION We conducted a compliance examination of the Commission for the two years ended June 30, 2015 as required by the Illinois State Auditing Act. The accountants stated the Commission complied, in all material respects, with the requirements described in the report. FRANK J. MAUTINO Auditor General FJM:PH AUDITORS ASSIGNED This examination was performed by the Office of the Auditor General’s staff. DIGEST FOOTNOTES #1 - DECISIONS WERE NOT PUBLISHED - Previous Commission response 2013: The Commission partially agrees with the finding which was the result of inadequate staffing necessary to undertake publishing duties. The Commission has hired new staff and will periodically update its website to ensure that current information relative to the publication of orders is completed within 120 days as required by statute.