REPORT DIGEST

 

DEPARTMENT OF TRANSPORTATION

 

FINANCIAL AUDIT AND COMPLIANCE EXAMINATION

 

For the Year Ended:

June 30, 2007

 

 

 

Summary of Findings:

Total this audit                 26

Total last audit                 11

Repeated from last audit    7

 

Release Date:

May 8, 2008

 

 

 

State of Illinois

Office of the Auditor General

WILLIAM G. HOLLAND

AUDITOR GENERAL

 

 

 

 

 

To obtain a copy of the Report contact:

Office of the Auditor General

Iles Park Plaza

740 E. Ash Street

Springfield, IL 62703

(217) 782-6046 or TTY (888) 261-2887

 

This Report Digest and the Full Report are also available on

the worldwide web at

http://www.auditor.illinois.gov

 

INTRODUCTION

 

      This report digest covers both the Financial Audit and State Compliance Examination of the Department of Transportation for the year ended June 30, 2007.   The Financial Audit Report contains three Findings (numbers 1-3).   The State Compliance Examination Report contains 23 Findings (numbers 4-26).

 

SYNOPSIS

 

  • The Department did not adhere to proper accounts payable cut-off policies and standards required by the State and generally accepted accounting principles.  Liabilities were significantly understated.

 

  • The Department made payments for Information Technology and Graphic Designers to the Department of Central Management Services (DCMS) without supporting documentation.

 

  • The Department did not have adequate controls to prevent inappropriate payments to vendors.

 

  • The Department and local agencies were delinquent in performing bridge inspections during FY07.  In addition, the Department needs to improve the quality of the bridge inspection data. 

 

  • The Department did not follow its own procedures for procuring professional and artistic contracts and did not maintain adequate documentation to substantiate its procurement activities.

 

  • The Department failed to provide proper notifications in the Illinois Procurement Bulletin and did not maintain adequate documentation in its procurement files.

 

  • The Department did not have adequate controls over its grant agreements.

 

  • The Department did not have adequate controls over tracking the costs and usage of State vehicles, the assignment of State vehicles to employees, and its reporting of vehicle accidents to DCMS.

 

  • The Department’s process to monitor interagency agreements was inadequate.

 

  • The Department did not establish adequate controls for securing its computer resources.

 

{Expenditures and Activity Measures are summarized on the reverse page.}


 

 

 

DEPARTMENT OF TRANSPORTATION

FINANCIAL AUDIT AND COMPLIANCE EXAMINATION

For The Year Ended June 30, 2007

 

EXPENDITURE STATISTICS

FY 2007

FY 2006

·         Total Expenditures (All Appropriated Funds)

 

$4,065,193,109

$3,786,467,365

     OPERATIONS TOTAL..........................

         % of Total Expenditures..................

$653,086,724

16.07%

$586,982,926

15.50%

         Personal Services............................

            % of Operations Expenditures....

            Average No. of Employees........

$367,317,070

56.24%

5,469

$346,429,630

59.02%

5,647

         Other Payroll Costs (FICA,

          Retirement)............................................

            % of Operations Expenditures....

 

$70,512,215

10.80%

 

$56,538,667

9.63%

         Contractual Services.......................

            % of Operations Expenditures....

$105,172,036

16.10%

$100,100,667

17.05%

         All Other Operations Items..............

            % of Operations Expenditures....

$110,085,403

16.86%

$83,913,962

14.30%

     GRANTS TOTAL...................................

         % of Total Expenditures..................

$1,459,997,979

35.91%

$1,398,345,623

36.93%

     CONSTRUCTION TOTAL.........................

         % of Total Expenditures..................

$1,944,421,571

47.83%

$1,796,580,236

47.45%

     CAPITAL IMPROVEMENTS TOTAL...

         % of Total Expenditures......................

$7,686,835

0.19%

$4,558,580

0.12%

     CAPITAL ASSETS – GROSS

         Infrastructure......................................

         All Other............................................

               Total............................................

 

$22,467,463

2,571,266

$25,038,729 

 

$21,808,196

2,508,588

$24,316,784

SELECTED ACTIVITY MEASURES (Not  Examined)

FY 2007

FY 2006

·         Number of bridges maintained/improved................

274

255

·         Percent of bridges in need of repair......................

10%

9%

·         Number of lane miles of pavement maintained.......

42,774

42,774

·         Construction investment/lane mile.........................

$44,326

$40,995

·         Miles of pavement maintained/improved................

908

820

·         Percent of roads in need of repair ........................

13%

13%

AGENCY SECRETARY(S)

During Audit Period:  Mr. Timothy Martin (07/01/07-01/26/07) Mr. Milton Sees (01/26/07 – current)

Currently:  Mr. Milton Sees

 

 

 

 

 

 

 

 

 

 

Proper cut-off policies and standards not followed

 

 

 

 

 

 

Liabilities were understated by $84,211,000

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Lack of supporting documentation

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Payroll charges of $301,665 not supported

 

 

 

 

 

Building rent totaling $13,658 paid twice

 

 

 

No support for $9,845  in Graphic Designer billings

 

 

 

 

 

 

 

 

 

 

 

 

Inadequate controls

 

 


Payments totaling $22,881 were made in error

 

 

 

 

 

 

 

 

Vendors return duplicate payments

 

 

 

 

 

 

 

Date on invoice was changed

 

 

 

 

 

 

 

 

 


No review of employee overrides

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1,752 bridge inspections were delinquent according to Department intervals

 

 

 

 

 

 

 

 

Problems noted with data accuracy regarding bridge inspection intervals

 

 

 

 

No individual was formally appointed as the Bridge Inspection Program Manager

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Department states some of the bridges noted in the finding were not their responsibility and some of the bridge inspections were not actually delinquent

 

 

 

 

 

 


Auditors’ Comment

 

 

 

 

 

 

 

 

 

 

 

Procedures for awarding contracts were not followed

 

 

Negotiation not made with the bidder with the highest responsiveness points

 

 

 

 

Contract awarding process not documented adequately

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Department partially agrees

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Auditors’ Comment

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Notification of award to other than lowest bidder not posted on the Illinois Procurement Bulletin

 

 

 

 

 

Procurement files did not document the proper handling of vendor price proposals

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Inadequate controls

 

 

 

 

Grantee paid $3,288,660 and no inspections or monitoring performed

 

 

 

 

 

 

No evidence of monitoring reports or a final report

 

 

 

 

Reports not received and no evidence of monitoring

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Inadequate controls over vehicles

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Failure to track all costs

 

 

 


Report missing critical information

 

 

 

 

 

 

 

 

 


Accidents were reported late

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Interagency agreements signed 24 to 89 days late

 

 

 

 

$79,656 in services invoiced prior to the effective date

 

 

 

Agreement with the Governor’s Office and ISBE to share employee’s services

 

 

 

 

 

 

 

 

 

Paid $20,065 more than the agreements required

 


Reimbursement not received from ISBE

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Inadequate controls for securing computer resources

 

 

 

Shared responsibility with DCMS over computer security

 

 

 

 

 

 

 

 

 

 

 

 

Security Weaknesses

 

 

 

 

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

 

NEED TO IMPROVE ACCOUNTS PAYABLE CUT-OFF PRACTICES

 

      The Department did not adhere to proper cut-off policies and standards required by the State and generally accepted accounting principles (GAAP).

 

      During the review of subsequent expenditure reports for August through February 2008, approximately 1,500 exceptions were noted in which invoices relating to goods received or services performed prior to the year-end date were not accrued as of June 30, 2007. These inaccurately recorded expenditures resulted in an understatement of liabilities totaling $84,211,000 in the following funds: 1) Road Fund, 2) Grade Crossing Protection Fund, 3) Federal Local Airport Fund, 4) Transportation Bond Series B Fund, and 5) State Construction Account Fund. An adjusting journal entry was recorded by the Department to correct these differences.

 

      In addition, differences pertaining to the:  1) General Fund for $83,382, 2) the Road Fund for $827,294, 3) State Construction Account for $996,158, and 4) six non-major funds for $987,448 were identified.  The Department did not record the proposed auditor adjustment to the financial statements for these amounts since they viewed these differences to be immaterial. 

 

      The auditors classified these conditions noted in this finding as a material weakness in internal control over financial reporting.  (Finding 1, pages 49-50 in the Financial Statement Audit)

 

      We recommended the Department prepare written instructions to be included as a part of the accounting policies and procedures manual which indicates both the concepts of proper cut-offs and the individuals responsible for accruing payables at the accounting period end. We further suggested development of a report to track unpaid vouchers at year end.

 

      Department officials agreed with the finding and stated the current protocol has been in place for several decades.  

 

      They also stated the GAAP reporting protocols are being studied and enhanced as necessary.  Further, once the new

protocols are in place, the Department will work with personnel and vendors to accurately accrue liabilities.   

 

INADEQUATE SUPPORT FOR PAYMENTS MADE FOR CONSOLIDATED SERVICES

 

     The Department made payment for Information Technology and Graphic Designers (consolidated services) to the Department of Central Management Services (DCMS) without supporting documentation.

 

      Public Act 93-25 authorized DCMS to consolidate Information Technology (IT) functions of State government.  In addition, Public Act 93-839 authorized DCMS to consolidate Professional Services (Graphic Designers) of State government.  As a result of the consolidations, DCMS billed the Department for services rendered on their behalf.

 

     Each month DCMS provided the Department a billing statement indicating the total charged to the Department.  The Department did not receive sufficient supporting documentation to ensure the charges were for services incurred on their behalf.

 

    During our examination, we reviewed 10 IT billings, totaling $318,699, noting the Department did not obtain detailed support for payroll charges of $301,665.  The Department received a spreadsheet indicating the charge for each employee; however, there was no detail to determine if the employee worked on behalf of the Department. 

 

    Additionally, during our review of the Department’s District One IT Billings, we noted the Department had been billed and paid $13,658 in Building Rent.  However, the Department had been billed and paid for the same space utilization through the Facility Management billings.

 

     In addition, we reviewed 13 Graphic Designer billings, totaling $9,845, noting the Department did not obtain detailed support for the charges. (Finding 4, pages 11-12 in the Compliance Report)

   

      We recommended the Department obtain adequate supporting documentation to ensure all charges billed by DCMS for consolidated services are on behalf of the Department.

 

     Department officials agreed with the finding and stated they will no longer pay IBIS billings without proper documentation.

 

INADEQUATE CONTROLS TO PREVENT INAPPROPRIATE PAYMENTS TO VENDORS

 

                  The Department did not have adequate controls to prevent inappropriate payments to vendors.

 

      A report of potential duplicate vouchers using auditing software  was obtained and the following 6 of 25 (24%) payments tested were paid twice by the Department:

 

·              $1,946 to the State Garage Revolving fund for gas

                 purchases;

·              $1,810 for installation of new septic pump;

·              $198 for hotel rooms;

·              Two vouchers totaling $1,762 and $1,702 to the

                Communications Revolving   Fund for phone services; and

·              $116 for tire service.

 

      Three Department refunds were received when vendors returned duplicate payments:

 

·        Two different accounting entities paid the same invoice

             Totaling $2,349.

·        A vendor was paid $9,442 in two different fiscal years for

            the same invoice.

·        Another invoice totaling $3,556 was paid in error.   We also noted the invoice was dated 2/27/06 on the initial invoice while the date on the same invoice used for the second payment had been changed in black to 8/27/06.   We further noted the second invoice totaling $6,756 ($3,556 + 3,200 deposit) had part of the description marked out in black marker.  The portion that was marked out stated the invoice was for shipping charges and the dates the items were shipped (4/10/06 and 5/12/06).               

           

     The Department’s accounting system invokes a warning for duplicate payments for invoices if the invoice number already exists or if the payee identification and invoice dollar amount are the same, but the same individual who enters the voucher can override the alert.  In addition, there is no centralized report to allow management to review all employee overrides for reasonableness.  Further, the system only warns for duplicates within the same accounting entity and fiscal year.  The Department has 35 accounting entities that enter vouchers and also have reappropriated accounts that do not lapse at the end of the fiscal year. (Finding 5, pages 13-16 in the Compliance Report)

 

    We recommended the Department implement controls to review employee overrides for duplicate payments.   We also recommended controls be implemented to prevent duplicate payments between accounting entities and over different fiscal years for the reappropriated accounts.  We further recommended the Department obtain refunds for the duplicate payments made.

 

    Department officials agreed with the finding and stated they will obtain refunds for the duplicate payments made and a BIP Action Request has been created to modify the FOA accounting system allowing duplicate payment checks across all accounting entities.  

 

FAILURE TO TIMELY PERFORM BRIDGE INSPECTIONS

 

      The Department and local agencies were delinquent in performing bridge inspections during FY07.  In addition, the Department needs to improve the quality of the bridge inspection data.  The Department also did not have an individual appointed as the State Bridge Inspection Program Manager as required by federal regulations.

 

      Using the intervals established by the Department, a total of 1,752 (6.6%) bridges were delinquent in receiving an inspection.  The Department was delinquent in conducting 108 bridge inspections.  Of these, 19 bridges were more than six months delinquent; 13 were more than one year delinquent.  Of the 19 bridges that were more than six months delinquent, 2 were rated structurally deficient.  For local agencies, 1,644 bridges were delinquent for an inspection.  Of these, 274 were more than six months delinquent for an inspection; 221 were more than one year delinquent.  Of the 274 bridges that were more than six months delinquent, 20 were rated structurally deficient.

 

      Some bridges in the data provided by the Department contained blank inspection intervals (554) or a “0” (84) for the interval.  This does not include bridges listed as closed.  A few bridges (5) also were listed at routine inspection intervals above the maximum allowable by federal regulation (48 months).  There are also problems related to data accuracy involving other codes in the bridge inspection data.

 

      From December 2006 through June 2007, the Department did not have an individual formally appointed as the Bridge Inspection Program Manager as is required by federal regulations.    (Finding 6, pages 17-22 in the Compliance Report)

 

      We recommended the Department ensure all bridge inspections are conducted within allowable intervals established by federal regulations and the Department.  We also recommended the Department review the intervals being used and the accuracy of information in its data system for bridges for accuracy and reasonableness.  Further, we recommended the Department ensure a qualified individual is formally appointed as the Bridge Inspection Program Manager.

 

      Department officials agreed with the recommendation and primarily attributed the concerns noted in the finding to reporting, entry, and maintenance of bridge inspection data. 

 

      After their subsequent review of the allowable intervals and data provided to the auditors from their data base, the Department stated the following: 99 Railroad bridges and 24 pedestrian structures identified in the audit as delinquent were not the responsibility of the Department or local agencies, 26 bridges identified as delinquent were adjacent State’s responsibility,  80 State bridges and 1367 local bridges, identified as delinquent at the time the data file was created were within the FHWA approved time period allowed for data entry,  and the data provided to the auditors included 3 bridges that were identified as being under staged construction. 

 

      In an auditors’ comment we noted of the 108 delinquent bridges attributable to the Department, none were pedestrian crossing and only one appeared to carry a railroad.  We further noted that all bridges on Illinois highways are the Department’s responsibility according to federal regulations.   For 18 of the 26 bridges the Department identified as the responsibility of other states, the Department is the Reporting Agency. The auditors were unable to evaluate the Department’s claims regarding the bridges that would not be considered delinquent as we used the data provided during fieldwork.   In addition, we noted there was nothing in the federal regulations that suspends the routine interval due to construction. 

 

IMPROPER PROCUREMENT PROCEDURES

 

      The Department did not follow its own procedures for procuring professional and artistic contracts and did not maintain adequate documentation to substantiate its procurement activities.

 

      The Department inappropriately issued a non-professional and artistic Request for Proposals (RFP) for services that were professional and included accounting, auditing, and financial review services.

 

      The winning vendor received an average of 480 total responsiveness points from the selection committee while another vendor received an average of 586 total responsiveness points, and no negotiation or contact was made with the vendor with the highest points. In addition, the Department changed the scope of services to be performed and could not provide evidence it communicated the change to the vendors.

 

      The Department awarded a contract for a media buy and did not document the process adequately. The selection committee scored four proposals received for a traffic safety media buy.  The Department then stated they invited the top three vendors to do oral presentations and two vendors attended. No documentation was maintained other than a second round of scoring sheets completed by the selection committee after the oral presentations.  In addition, the contract overview document did not accurately document the reason for rejecting bids.  (Finding 8, pages 26-33 in the Compliance Report)

 

      We recommended the Department ensure it is following all the appropriate, required procedures when issuing RFPs and evaluating vendor proposals.  We also recommended, if changes to the scope of services are found to be necessary, an addendum be timely published on the Illinois Procurement Bulletin.  In addition, we recommended the Department maintain a record of all communications with proposing vendors during the procurement process, including oral presentations.  Lastly, we recommended the Department ensure its procurement files accurately document the reasons for rejecting bids.

 

      The Department partially agreed with the finding and recommendation.

 

      The Department agreed the solicitation should have been issued as a Professional and Artistic RFP rather than being issued as a Competitive Sealed Proposal.  The Department did not agree however, that the process used to select a winning vendor under the Competitive Sealed Proposal approach was in error or that there was a change in the scope of services.  The Department also stated on March 31, 2006, after this RFP had been issued, they established an internal policy requiring all general services (excluding Information Technology procurements) to be handled as professional and artistic based on a previous audit finding. 

 

      In an auditors’ comment, we noted although the Department stated it was unsure whether the services were purely professional and artistic, their Departmental Order 6-3 states accounting services including auditing, accountants, and actuarial services are always professional and artistic.  

 

      Further, it should be noted that the winning vendor proposed a price for the first three tasks and a blended hourly rate for the task for possible additional avenues of review, so it was an open ended bid which required an additional amount to be complete. The recommendation letter submitted by Department personnel and approved by Department management was 18 days prior to formulation of total points using all 4 tasks.   The total points and price on that letter only used the bid from the winning vendor for the first three tasks.

 

      The Department solicited a best and final offer with a blended hourly rate for task no. 4 (one week after formulation of the contract and 18 days after the decision memo to award the contract to the other vendor).   No documentation showed the Department informed the losing bidder that task no. 4 would change from tasks that may occur as appropriate to 1,500 hours.

 

NEED TO IMPROVE DOCUMENTATION IN PROCUREMENT FILES AND NOTIFICATION PROCESS

 

      The Department failed to provide proper notifications in the Illinois Procurement Bulletin and did not maintain adequate documentation in its procurement files.

 

      The Department did not provide the required notification on the Illinois Procurement Bulletin that contracts were awarded to the vendors without the lowest bid for 2 of 10 (20%) procurements tested totaling $3,752,840.   In addition, one of the contracts for a vendor to perform ISO 9001:2000 registration consulting services was executed on February 1, 2007, and the award notice was not published until February 7, 2007.

 

      Two of 10 (20%) procurement files tested did not adequately document the proper handling of vendor price proposals.   One file’s evaluation of vendor cost proposals was not signed and dated by the recorder or witness, and the other file in which the procurement was cancelled and re-issued did not contain documentation of the original bids received from the two responding vendors. 

 

      Four of 10 (40%) procurement files tested did not contain conflict of interest forms for the employees on the technical review committee.   (Finding 9, pages 34-37 of the Compliance Report)

 

      We recommended the Department ensure all required notifications are made in the Illinois Procurement Bulletin and its procurement files contain proper documentation.

 

      Department officials agreed with the finding and stated they are implementing a procurement file checklist that will address when to publish awards, signatures and maintenance of cost proposal forms,  the maintenance of cost proposals, and they now require all technical review team members to sign conflict of interest forms.

 

NEED TO IMPROVE CONTROLS OVER GRANT AGREEMENTS

 

      The Department did not have adequate controls over its grant agreements.

 

·  The Department could not provide documentation that it adequately administered and monitored grant funds provided to a large city for the municipal maintenance of State highways.  The grant agreement required quarterly installment payments subject to an inspection for satisfactory maintenance and operation of covered streets.  The Department paid four quarterly payments on January 16, 2007, totaling $3,288,660, and could not provide documentation of any inspections or other monitoring. 

 

  • The Department provided $18,651 during FY07 to an organization to increase awareness of safety belt use in the Hispanic community.   The Department was unable to provide evidence of any monthly reports or that a final report was received.

 

  • The Department paid $997,486 to a municipality during FY07 for the purchase of an Aircraft Rescue and Firefighting (ARFF) Vehicle and reimbursement for a land parcel.  The grantee did not submit semi-final and final inspection reports, and the Department could not provide evidence it monitored the progress and performance of the Project work through the Project Coordinator and the Consulting Engineer.    (Finding 11, pages 43-45 in the Compliance Report)

 

      We recommended the Department review grant agreements to ensure all requirements are met prior to payments being made.  We also recommend the Department adequately monitor its grants to ensure all required reports are received by the grantee and reviewed by the Department.  We further recommend the Department adequately document its monitoring efforts.

 

      Department officials agreed with the finding and stated they will require grantees to submit the required reports prior to payment.  They further stated they will revise the requirements for Participation Agreements to be applicable to non-construction projects.

 

NEED TO ENHANCE CONTROLS OVER THE ADMINISTRATION OF STATE VEHICLES

 

      The Department did not have adequate controls over tracking the costs and usage of State vehicles, the assignment of State vehicles to employees, and its reporting of vehicle accidents to the Department of Central Management Services (DCMS).

 

Tracking Costs and Usage

      The 2004 State of Illinois Fleet Efficiency Review Final Report recommended the Department replace its Maintenance Management Information (MMI) system with different software and the Department should use the software for all fleet and related equipment transactions. Currently, the Department is still using the same MMI fleet tracking system, and this software does not track all the costs associated for the fleet or related equipment transactions. 

 

Vehicle Assignments

      The Department’s assignment of vehicles to employees is authorized by Directors and District Engineers.  According to the Department’s vehicle report to DCMS, there were 1,333 employees with take home vehicles as of June 2007.  We noted the report provided to DCMS was missing critical information including: the justification for having a take home vehicle (12%), the date assigned (86%), payroll classification or title of the individual assigned the vehicle (2%), average monthly mileage (5%), current vehicle mileage (3%), days per month business stops made (1%), and the miles from home to headquarters (1%).  Although all the assignments were approved by a Director or District Engineer, without this data it is difficult to determine whether there is justification for assigning the employee a take home vehicle.

 

      We also noted three of 20 (15%) employees were assigned to a new vehicle during FY07 and the vehicle changes were not timely reported to DCMS.

 

Vehicle Reporting

      Three of 10 (30%) vehicle accidents tested were reported to DCMS from 14 to 40 days late. Department management stated the accidents were not timely reported due to late reports from field personnel. (Finding 12, pages 46-51 in the Compliance Report)

 

      We recommended the Department implement the recommendations in the Fleet Efficiency Review Report and ensure its tracking system for vehicles is adequate.  Also, the Department should thoroughly review the employees with assigned vehicles in order to ensure vehicle information is up-to-date and that there is clear justification for the vehicles being assigned to individuals to take home.   Further, all changes in vehicle assignments and vehicle accidents should be reported to DCMS as required and adequate documentation of vehicle usage should be maintained for all vehicles including pool vehicles.

 

      Department officials agreed with the finding and stated they were implementing changes to its vehicle tracking and reporting procedures.

 

INADEQUATE MONITORING OF INTERAGENCY AGREEMENTS

 

     The Department’s process to monitor interagency agreements was inadequate.

 

  • Four of 14 (29%) interagency agreements tested were not signed by all necessary parties before the effective date. The agreements were signed from 24 to 89 days late.   One additional agreement was signed 9 days late by the originating party and the Department signed but did not record the date.

 

·        One of 14 (7%) interagency agreements had services totaling $79,656 invoiced prior to the effective date of the agreement. 

 

·        The Department entered into an agreement for the sharing of an employee’s services with the Office of the Governor (Office) dated March 1, 2006.  The agreement required the Department to pay $10,224 of the employees’ payroll and the Office to pay $46,576 for a total annual salary of $56,800.   The Department, the Office, and the Illinois State Board of Education (ISBE) entered into a subsequent agreement for the same employee effective February 1, 2007 with payroll to be divided between ISBE ($48,000), the Department ($10,000) and the Office ($49,000) for a total annual salary of $107,000.

 

      According to those agreements, the Department should have paid approximately $10,129 during FY07 for the employee’s payroll expenses. The Department instead paid $30,194, approximately $20,065 more than the agreements required. The Department agreed on May 30, 2007 to pay ISBE’s payroll costs of $8,000 for May and June 2007 and then agreed on June 7, 2007 to pay the remaining payroll costs of $12,000 for February through April. Both letters indicated ISBE would reimburse the Department; however, the Department could not provide evidence of any receipts from ISBE as of December 7, 2007.  (Finding 13, pages 52-55 in the Compliance Report)

 

    We recommended the Department ensure interagency agreements are approved prior to the effective date and prior to services being rendered.   We further recommended the Department ensure the terms of the agreement are followed and all amounts owed are collected.

 

     Department officials agreed with the finding and stated they will now coordinate with the originating agency to revise the execution process so that signatures are affixed timely.   They also stated an invoice to ISBE was issued, but ISBE would not pay the invoice and the Department will submit it to the Court of Claims for a proper resolution.

 

FAILURE TO ESTABLISH ADEQUATE COMPUTER SECURITY CONTROLS

 

      The Department in conjunction with the Department of Management Services (DCMS) did not establish adequate controls for securing its computer resources.

 

      The Department had established computer systems throughout the State in order to meet its mission and mandate. The Department processes and maintains critical, confidential and sensitive information on computer systems.  Many of the Department’s IT functions were consolidated into DCMS, with a physical move of equipment in October 2006.  As a result, the Department and DCMS have a shared responsibility over computer security.

 

Although the Department had a draft version of a revised Information Technology Policy, the Policy currently in effect, dated May 15, 2000, is over seven years old and did not reflect the current environment. 

 

      In addition, during our testing of computer security, we noted:

 

  • Servers were not always updated with the current vendor recommended patch levels.

  • An excessive number of users had powerful security administration authority.

  • Password length and content requirements were lacking.

  • Accounts for terminated employees were still active after termination.

  • Access rights to Department applications and data were not routinely reviewed.  (Finding 19, pages 73-74 in the Compliance Report)

 

      We recommended the Department formally communicate to DCMS its security requirements, and establish and document guidelines that outline both the Department’s and DCMS responsibilities.   We also recommended the Department work with DCMS to strengthen its security parameters.  In addition, we recommended the Department finalize and implement the draft Information Technology Policy. 

 

      Department officials agreed with the finding and stated they will continue to work with DCMS to implement the recommendations.    The Department also stated they will implement a revised IT Policy and Security Awareness Program during FY08.

 

OTHER FINDINGS

 

      The remaining findings are reportedly being given attention by the Department.  We will review the Department’s progress toward implementation of our recommendations in our next examination.

 

 

AUDITORS’ OPINION

 

      Our auditors state the basic financial statements of the Department as of and for the year ended June 30, 2007 are fairly presented in all material respects.

 

STATE COMPLIANCE EXAMINATION – ACCOUNTANT’S REPORT

 

      The auditors qualified their report on State Compliance for findings 07-6, 07-8, 07-9, 07-11 and 07-12.  Except for the noncompliance described in these findings, the auditors state the Department complied, in all material respects, with the requirement described in the report.

 

 

 

 

____________________________________

WILLIAM G. HOLLAND, Auditor General

 

WGH:GR:pp

 

 

AUDITORS ASSIGNED

 

      The compliance examination was performed by the Auditor General’s staff.    BKD, LLP were our special assistant auditors for the financial audit.