FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS
LACK OF SYSTEM DEVELOPMENT STANDARDS RESULTING IN INADEQUATE OVERSIGHT AND CONTROL
OF COMPUTER SYSTEM PROJECTS
The Department had not established system development standards nor contract
monitoring procedures to ensure computer system projects are appropriately managed. The
lack of standards and procedures resulted in systems being developed and paid for that did
not adhere to contractual requirements or meet the needs of the Department.
We reviewed four system development projects and identified project management problems
with three of the four. One contract had been paid in full although all contract
deliverables had not been received. One contract was paid in full for a system the
Department could not use. Lastly, one contract was paid although the system was under
development for seven years and had not been fully implemented. (Finding 1, pages 13-14)
We recommended the Department institute measures to strengthen project management such
as developing policies and procedures, implementing a system development methodology and
establishing appropriate monitoring mechanisms. Further, the Department should ensure
compliance with the established standards and methodology, hold a significant percent of
contract amounts until deliverables are complete and/or received, and initiate efforts to
recoup contract monies for deliverables not received.
Department officials concurred with our recommendation and stated a Quality Assurance
Section has been established. In addition, a committee will be assigned to define specific
direction in terms of processes, standards and control with a complete action plan
developed by March 30, 2000.
INADEQUATE CONTROLS OVER BODY SHOP CONTRACTS
The Department's Information Services Bureau entered into numerous "body
shop" contracts. These contracts, with consultants pre-approved by the Department of
Central Management Services, usually specify EDP services for up to a certain number of
hours to be completed by a specified date. We noted the following deficiencies:
Prudent business practices require proper internal controls be established to prevent
improper expenditures, encourage adherence to legal requirements and prescribed management
policies, and ensure the accuracy and reliability of accounting data. (Finding 10, pages
28-29)
We recommended the Department only pay for hours actually worked within the contract
period, review invoices to ensure only charges authorized under the contract are paid for,
and only pay for services performed pursuant to the applicable contract. Further, the
Department should develop, implement and periodically monitor management controls designed
to ensure the future compliance with applicable purchasing and appropriation rules.
Department officials concurred with our recommendation and stated they will develop,
implement and monitor management controls that ensure contracts are compliant. The
Department also stated a compliance officer has been appointed to oversee this process.
IMPROPER FISCAL YEAR EXPENDITURES
The Department's Information Services Bureau improperly expended $521,000 of FY99
money for FY98 expenditures in violation of appropriations for the design, development and
implementation of a new criminal history application.
The contractor billed the Department for services rendered in FY98. However, a contract
was not signed until late in June and therefore, the Department requested the contractor
change deliverable dates and resubmit the work products for re-acceptance by the
Department in FY99. (Finding 11, pages 30-31)
We recommended the Department only pay for contracted services and pay for such
services out of correct fiscal year appropriations. In addition, we recommended the
Department ensure that all billings and billing dates are accurate.
Department officials concurred with our recommendation and stated the Information
Services Bureau will develop, implement and monitor expenditure controls.
INADEQUATE COMPUTER SECURITY
The Department had not established adequate security controls over its computer
systems. The Department utilizes approximately $6.3 million of computer equipment and has
local area networks (LANs) located throughout the State. The Department processes critical
applications on the LANs, and LANs provide access to the Department's mainframe computer
system from remote sites.
The Department has written policies and procedures for personal computers, LAN
administration, and information security. However, we determined the Department had not
ensured compliance with these policies and procedures. We noted several security
weaknesses in both the Department's LANs and mainframe computer systems processes.
(Finding 2, pages 15-16) This finding has been reworded and repeated since 1992.
We recommended the Department enforce its written policies and procedures for the
administration of LANs, mainframes, and for information security.
Department officials concurred with our recommendation and stated a policy encompassing
these recommendations will be completed by March 30, 2000. (For previous Department
responses, see Digest Footnote 1.)
DISASTER CONTINGENCY PLAN WEAKNESSES
The Department had not updated its disaster contingency plan to include provisions
for recovering its entire computing environment, nor performed a comprehensive test of its
mainframe, minicomputer, or local area network disaster recovery capabilities.
We noted the only disaster contingency procedures tested were associated with the
recovery of the mainframe backup tapes at the backup site. A comprehensive disaster
recovery test of mainframe systems had not been conducted and the mainframe plan did not
state required recovery timeframes for each of the critical applications. In addition, the
current backup site did not have sufficient capacity to process all of the Department's
critical applications. We also noted a recovery site for the minicomputer applications did
not exist and the Department had not taken action to upgrade the fire protection system in
the Armory. (Finding 5, page 20). This finding has been reworded and repeated since
1986.
We recommended the Department address an enterprise-wide approach to recovering and
restoring computer processing in its disaster recovery plans. We also recommended the
Department strengthen its disaster recovery capabilities.
Department officials concurred with our recommendation and stated a revised plan will
be completed by June 30, 2000. (For previous Department responses, see Digest Footnote 2.)
OTHER FINDINGS
The remaining findings were less significant and are being given attention by the
Department. We will review its progress toward implementing these recommendations in our
next audit.
AUDITORS’ OPINION
Our auditors state that the Department’s financial statements as of and
for the year ended June 30, 1999 are fairly presented in all material respects.
____________________________________
WILLIAM G. HOLLAND, Auditor General
WGH:JSC:pp
SPECIAL ASSISTANT AUDITORS
Our special assistant auditors for this audit were Olive LLP.
DIGEST FOOTNOTES
#1: INADEQUATE COMPUTER SECURITY - Previous Department Responses.
1998: "We concur. ISB has corrected the specific items found not to comply with
current security procedures and will implement additional safeguards to ensure these
specific items do not occur in the future. In addition, the Department will budget for and
purchase security audit software that will assist LAN administrators to more easily
identify instances of non-compliance. It is not possible to comply with separation of
applications development and LAN administration on the two programmers identified in the
audit. These two individuals are on-site support people in the Chicago Lab and are used as
backup network support. ISB will take additional measures to ensure accountability in
regard to network administration access. These measures will be reflected in the written
policies and procedures."
1996: "We concur. Due to the pending plan to renovate the Armory, improved fire
protection will be included in this effort, contingent upon adequate funding."
1994: "We concur in part. More work needs to be done on LAN security and control.
However, the recommendations made by the audit are contrary to those implemented on the
mainframe. The LAN and mainframe require similar controls and should be consistent with
each other. The need for disaster recovery for LANs is recognized and will be addressed.
While ISB (Information Services Bureau) does not currently have a separate security
awareness class, security is emphasized in all of the Information Center training
classes." (The response then goes on to address the recommendations made in more
detail.)
1992: "We concur. ISB will coordinate and manage local area networks (LANs) for
ISP. The responsibility will include controlling, installing and supporting LANs as well
as security functions." (The response provides further details on plans to implement
the recommendations.)
#2: DISASTER CONTINGENCY PLAN WEAKNESSES - Previous Department Responses
1998: "We concur with the need for an upgraded fire protection system for
the entire Armory building. However, funding and other extenuating circumstances have
proved prohibitive in the realization of this initiative. We concur in part with the
analysis of the LAN disaster plan. Every LAN application has back-up hardware and software
in the event of a disaster. Application staff and Network staff know what needs to be done
to recover all of the ISP LAN based applications in the event of a disaster. However, the
process for recovery needs to be formalized and committed to policy. ISP will make the
necessary changes and additions to the Disaster recover Plan.
1996: "We concur. Due to the pending plan to renovate the
Armory, improved fire protection will be included in this effort, contingent upon adequate
funding."
1994: "We concur. A written disaster recovery plan is in process. ISP will
continue to work toward a more complete Armory fire suppression system as funds
allow."
1992: "ISP concurs that an alternate processing site should be established. To
this end, ISP and CMS are in the process of implementing the capability for ISP to use CMS
facilities in the event of a disaster. This capability will include the ability to switch
critical communications lines so that processing of officer safety functions will be
protected. ISP anticipates conducting a test of this capability by the beginning of FY 94.
The intent of ISP is to address the inadequacies of fire protection in three phases as
funding becomes available. The first phase will encompass an Armory-wide fire detection
system that will alert the fire department when a fire is detected. The second phase will
provide for fire suppression in areas that are unmanned in off-hours. The third phase will
provide for fire suppression in critical areas that are manned twenty-four hours per day.
The greatest risk to the computer facility is a fire that ignites in the Armory and is not
detected until too late. In areas that are manned, the risk is less and staff would be
able to call for the fire department in a timely fashion. To minimize total risk, fire
detection and suppression is needed in all areas of the Armory to protect critical
functions."
1990: "We concur with the findings concerning lack of a backup site and inadequate
fire suppression in the Data Center. We will continue to seek funding to correct these
deficiencies."
1988: "We concur."
1986: "We concur. A formal recovery plan is under development. A Failure Impact
Analysis has been completed and recommendations are being prepared, for the
Director’s approval, on priority for restoring all applications. Funds have been
requested in FY90 from the Capital Development Board for FY90 to build a primary data
center which would then allow the Armory as a backup site.
A complete fire protection system has not been installed due to lack of adequate funds.
However, some alternative fire suppression efforts have been made. Since 1984, we have
utilized very limited funds to expand heat sensors/fire detectors in the data center,
which are monitored by the ISP Command Center. We have also obtained fire-retardant trash
containers, and plastic covers to prevent water damage to equipment due to burst
pipes."
