REPORT DIGEST DEPARTMENT OF STATE POLICE COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2018 Release Date: May 23, 2019 FINDINGS THIS AUDIT: 14 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 2 -- 3 Category 2: 1 -- 10 -- 11 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 12 -- 14 FINDINGS LAST AUDIT: 13 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (18-1) The Department did not exercise adequate control over the recording and reporting of its State property and equipment. • (18-2) The Department did not exercise adequate controls over accounts receivable. • (18-6) The Department did not maintain adequate security controls over computer systems to safeguard confidential information. • (18-9) The Department did not exercise adequate controls over voucher processing. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NEED TO IMPROVE CONTROLS OVER PROPERTY AND EQUIPMENT The Department of State Police (Department) did not exercise adequate control over the recording and reporting of its State property and equipment. Some of the items we noted follow: • 36 of 60 (60%) items listed as lost or missing could possibly have confidential information stored on them. • The Department was unable to reconcile differences noted between the Expenditures by Quarter Report and the Agency’s Report on State Property (C-15) Reports. • The Department’s property records did not agree to the C-15 Reports filed with the Office of the State Comptroller. • 25 of 81 (31%) vouchers, totaling $14,940,093, included items that were not added to the Department’s inventory records. • 34 of 60 (57%) items, totaling $9,378,665, were added to the Department’s inventory records between 1 and 989 days late. • 12 of 60 (20%) items, totaling $767,456, were deleted from the Department’s inventory records between 40 and 423 days after the disposal date. • Annual Certifications of Inventory could be inaccurate based upon failure to perform reconciliations of the Department’s property records. • 34 of 60 (57%) items, totaling $118,769, were reported on the Annual Certifications of Inventory as being unable to be located. • 11 of 17 (65%) Accounting for Leases- lessee Forms (SCO560), totaling $262,729, included maintenance cost in the rent per period input on the SCO-560 form. • 12 of 60 (20%) items located within the Department were not found on the Department’s property records. • The Department’s property control manual does not reference the services that the Public Safety Shared Services Center performs for the Department. (Finding 1, pages 11-18) This finding was first reported in 2002. We recommended the Department develop procedures to immediately assess if a computer may have contained confidential information whenever it is reported lost, stolen, or missing during the annual physical inventory, and document the results of the assessment. We also recommended the Department ensure all equipment is accurately and timely recorded or removed from the Department’s property records and ensure accurate reports are submitted to the Comptroller. Further, we recommended the Department update its property control manual and continue to strengthen controls over the recording and reporting of its State property and equipment by reviewing their inventory and recordkeeping practices to ensure compliance with statutory and regulatory requirements. Department management concurred with the finding and recommendation and stated the Public Safety Shared Services Center (PSSSC) has been responsible for the Department’s property control since its formation in 2008. Department management also stated the Department returned the property control and several other functions from the PSSSC to the Department in 2019 and are currently increasing staff in the property control area to address these matters. (For the previous Department response, see Digest Footnote #1.) INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE The Department did not properly maintain accounts receivable records and failed to accurately report accounts receivables on the Quarterly Summary of Accounts Receivable Reports (Reports) to the Office of the Comptroller. Some of the items noted follow: • For the Road Fund (Fund 011), the Department did not post all new billings or payments received against the receivable balances which resulted in the accounts receivable listing being inaccurate. • The Department submitted Reports for Fund 011 which did not agree to the support provided. • Accounts receivable were recognized at the time of the receipt of payment instead of when the claim for future cash was reasonably estimable and measurable. (Finding 2, pages 19-20) This finding was first reported in 2010. We recommended the Department keep accurate and detailed records of all billings and the corresponding collections to facilitate proper reporting of accounts receivable activity. We also recommended the Department strengthen procedures and allocate necessary resources to properly post payments. Department management concurred with the finding and recommendation and stated the accounts receivable was a function transferred to the Public Safety Shared Services Center (PSSSC) when it was formed in 2008. Department management also stated the Department returned the accounts receivable function from the PSSSC to the Department in fiscal year 2019 and is working to hire personnel to perform the accounts receivable duties. (For the previous Department response, see Digest Footnote #2.) FAILURE TO MAINTAIN SECURITY CONTROLS OVER COMPUTER SYSTEMS The Department did not maintain adequate security controls over computer systems to safeguard confidential information. During testing, we noted the Department: • Did not have a mechanism in place to ensure electronically transmitted information was secured or encrypted, other than Law Enforcement Agencies Data System (LEADS) information. • Had not deployed encryption software on all laptops and data at rest. • Did not have a policy in place to mandate all hard drives of surplus electronic data processing equipment be erased, wiped, sanitized, or destroyed. Additionally, the Department’s general procedures did not require written certification of the overwriting or destruction processes as required by the Data Security on State Computers Act (Act). • Had not ensured surplus equipment was secured and tracked prior to disposal. Additionally, the Department had not ensured leased equipment was properly wiped prior to returning it to the vendor. • A powerful default administrator account had not been disabled, and individual access rights were not timely deactivated. (Finding 6, pages 27-29) This finding was first reported in 2010. We recommended the Department: • Install automatic encryption software on all laptops and data at rest, and secure and encrypt confidential data transmitted through the network. • Implement procedures to ensure that surplus equipment is secured and properly tracked while awaiting disposal. • Implement a policy to ensure compliance with the Act. • Implement procedures to ensure all leased equipment is properly wiped prior to return. • Disable the default administrator account. We further recommended the Department seek legislative remedy for these requirements they determine to be redundant and inefficient. Department management concurred with the finding and recommendation and stated they are working with the Department of Innovation & Technology (DoIT) to implement new equipment and technologies to remediate issues. Department management also stated desktops and laptops are being encrypted as they are being replaced or repaired. (For the previous Department response, see Digest Footnote #3.) VOUCHER PROCESSING WEAKNESSES The Department did not exercise adequate controls over voucher processing. We noted the following: • 10 of 11 (91%) prompt pay interest payments tested, totaling $778,664, were unreasonable and unnecessary. The original vendor invoices were received during Fiscal Years 2015 and 2016, however were not paid until Fiscal Year 2018. The interest payments were paid from Special State Funds which had unexpended appropriations for both Fiscal Year 2016 and 2017, which indicates funds were available and the invoices could have been paid and the accumulating interest avoided. • 205 of 433 (47%) vouchers tested for Fiscal Years 2017 and 2018, totaling $28,128,051, were approved for payment 1 to 884 days late. • 13 of 377 (3%) vouchers tested for Fiscal Years 2017 and 2018, totaling $619,886, accrued required interest charges of $17,626 which were not paid by the Department. (Finding 9, pages 36-37) This finding was first reported in 2004. We recommended the Department comply with the Act and the Code to ensure vouchers are approved and paid within the required time frame and the required interest is paid. Department management concurred with the finding and recommendation and stated the budget impasse created numerous unique situations for the Department. Department management also stated voucher processing is being brought back to the Department from the Public Safety Shared Services Center (PSSSC) and staff are being hired to oversee the best practices and write procedures to ensure invoices are paid timely. (For the previous Department response, see Digest Footnote #4.) OTHER FINDINGS The remaining findings pertain to: 1) inadequate internal controls over receipts, monthly reconciliations, contracts and personnel transactions, 2) delinquent accounts not pursued, 3) lack of project management and weaknesses in change management, 4) noncompliance with specific statutory mandates, 5) failure to follow policies and procedures over asset seizures and forfeitures, and 6) contingency planning weaknesses related to recovery of computer systems. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2018, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for findings 2018-001, 2018-002 and 2018-003. Except for the noncompliance described in these findings, the accountants stated the Department complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by West & Company, LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:SW DIGEST FOOTNOTES #1 NEED TO IMPROVE CONTROLS OVER PROPERTY AND EQUIPMENT – Previous Department Response 2016: The Department concurs. The Public Safety Shared Services Center (PSSSC) will continue to work to process property transactions within the allowable timeframes and ensure accurate information is entered into the system. The Department will need to ensure that all requested documentation is provided to Property Control in a timely manner so new items may be added to the system. The Department will work with the PSSSC to update procedures related to property control and disseminate those procedures to the field. The Department continues to struggle with the effects of the central property control unit being located outside of the agency within the PSSSC therefore delaying processing of paperwork as well as removing property control subject matter experts from the agency. #2 INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE REPORTING – Previous Department Response 2016: The Department concurs. Accounts receivable reporting is a function of PSSSC. The Department will work with the PSSSC to develop a plan to address the ongoing issues. Together we will continue to work to ensure accurate and timely reporting of accounts receivable. #3 FAILURE TO MAINTAIN SECURITY CONTROLS OVER COMPUTER SYSTEMS AND CONFIDENTIAL INFORMATION – Previous Department Response 2016: The Department concurs. The Department recognizes the need to maintain adequate security controls on systems. Many of the recommendations are currently being implemented or being planned as a part of the statewide consolidation. The Department will have encryption software on all devices (PCs, laptops, and IWIN devices) by July 2017. Modifications to the installation and decommissioning of equipment is being modified by DoIT personnel and several policies have been proposed to address the tracking and disposal of equipment. The Department is also investing in its aging infrastructure, which will resolve findings with the running of unsupported equipment and operating systems. #4 VOUCHER PROCESSING WEAKNESSES – Previous Department Response 2016: The Department concurs. Voucher processing begins within the Department and is finalized at the PSSSC. The PSSSC processed vouchers as quickly as possible given the available staffing resources. The Department will also need to ensure that cost center staff are submitting vouchers to PSSSC in a timely manner. The Fiscal Year 2016 budget impasse also impacted the ability to process payments in a timely manner. The Department will work towards the processing of required prompt payment penalties as resources are available.