REPORT DIGEST DEPARTMENT OF LABOR COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2021 Release Date: May 18, 2022 FINDINGS THIS AUDIT: 12 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 1 -- 5 -- 6 Category 2: 3 -- 3 -- 6 Category 3: 0 -- 0 -- 0 TOTAL: 4 -- 8 -- 12 FINDINGS LAST AUDIT: 14 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION Because of the significance and pervasiveness of the findings described within the report, we (the accountant’s) expressed an ADVERSE OPINION on the Department of Labor’s compliance with the specified requirements which comprise a State compliance examination. The Codification of Statements on Standards for Attestation Engagements (AT-C § 205.72) states a practitioner “should express an adverse opinion when the practitioner, having obtained sufficient appropriate evidence, concludes that misstatements, individually or in the aggregate, are both material and pervasive to the subject matter.” SYNOPSIS • (21-01) The Department of Labor (Department) did not exercise adequate control over its accounts receivable and related reporting. • (21-02) The Department failed to establish and maintain adequate internal control over its Special State Trust Fund (Fund 251), which holds unpaid wages due to employees. • (21-08) The Department had not implemented adequate internal controls related to cybersecurity programs, practices and control of confidential information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE CONTROLS OVER ACCOUNTS RECEIVABLE The Department of Labor (Department) did not exercise adequate control over its accounts receivable and related reporting. During testing, we noted the following: • The Department was unable to provide detailed individual accounts receivable records for the General Revenue Fund (Fund 001), Child Labor and Day and Temporary Labor Services Enforcement Fund (Fund 357), Employee Classification Fund (Fund 446), and Wage Theft Enforcement Fund (Fund 885). • The Department’s Accounts Receivable Activity (Form C-97) did not report any amounts considered to be uncollectible and did not report any write-offs during Fiscal Year 2020 and Fiscal Year 2021. • The Department was unable to provide an aging schedule to support its Aging of Total Gross Receivables (Form C-98). • The Department was unable to provide current policies or procedures for handling and reporting its accounts receivable, tracking and monitoring complaints received, posting delinquent accounts receivable into the Comptroller’s Illinois Debt Recovery Offset Portal system or pursuing other debt collection procedures, and writing off uncollectible receivables. In discussing this matter with Department officials, they indicated some divisions have adopted their own collection procedures that have not been formally approved by the Department. Due to these conditions, we were unable to conclude whether the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants to test the Department’s accounts receivable. Even given the population limitations noted above which hindered the ability of the accountants to conclude whether selected samples were representative of the population as a whole, we performed the following tests and noted the following: • The Department was unable to provide supporting documentation for additions or collections reported on Form C-97 reports during Fiscal Years 2020 and 2021. • One of 32 (3%) Form C-98 reports tested contained a misstatement of $30,000. • One of 8 (13%) Form C-97 reports was filed six days late. (Finding 1, pages 10-12) THIS FINDING HAS BEEN REPEATED SINCE 2005. We recommended the Department take action to ensure its accounts receivable are properly recorded, collection efforts are made, and accounts receivable reports are properly prepared in accordance with all applicable laws, rules, and regulations. The Department accepted the recommendation and stated they are currently reviewing the balances and funds which have reportable accounts receivables. The Department also stated they will create policies and procedures to ensure that accounts receivable are reported correctly. FAILURE TO ESTABLISH AND MAINTAIN ADEQAUTE INTERNAL CONTROL OVER THE SPECIAL STATE TRUST FUND The Department failed to establish and maintain adequate control over its Special State Trust Fund (Fund 251), which holds unpaid wages due to employees. As of June 30, 2021, Fund 251 had $1,897,262 in cash. Pursuant to the Illinois Wage Payment and Collection Act (WPCA) (820 ILCS 115/11.5(a)), the Department collects, when necessary, an employee’s wages or final compensation due and holds these moneys until the employee (now, claimant) can be located by the Department and properly paid. Additionally, pursuant to the Minimum Wage Law (MWL) (820 ILCS 105/12(b)), the Department collects, when necessary, unpaid minimum wages and overtime due to employees and holds these moneys until the employee (now, claimant) can be located by the Department and properly paid. Finally, the Statewide Accounting Management System (SAMS) (Procedure 05.50.01) notes fiduciary funds account for assets held by a governmental unit in a trustee capacity or as an agent for individuals, and SAMS (Exhibit 27.50.10-A) notes Fund 251 is an agency type of fiduciary fund. During our testing, we noted: • Two of 60 (3%) claimant payments tested, totaling $5,144, were approved for payment between 14 to 16 days after the Department determined the monies were owed to the claimant. • We were unable to reconcile the Department’s ledger of claimants to Fund 251’s cash balance from the Monthly Cash Report (SB05) prepared by the Comptroller. We noted unreconciled differences of $1,451,268 and $1,386,031 at June 30, 2020, and June 30, 2021, respectively. • At June 30, 2021, the Department was holding claimant balances related to activity in previous Fiscal Years. Each of these balances required a proper disposition by the Department. (Finding 2, pages 13-15) This finding has been repeated since 2007. We recommended the Department take action to ensure: • claimant payments are promptly processed and paid, along with the posting of proper accounting entries, when distributed from Fund 251; • reconciliations of the total amount due to claimants at the end of each month to the SB05 report are performed and any unreconciled discrepancies are investigated and properly resolved; • amounts due to claimants older than one year under the MWL are promptly transferred to the General Revenue Fund, with the timely posting of proper accounting entries; and, • amounts due to claimants under the WPCA are properly handled under the relevant provisions of RUUPA, with the timely posting of proper accounting entries. The Department accepted the recommendation and stated they are working to identify all unpaid claimants. The Department also stated they have made transfers during Fiscal Year 2022 in accordance with WPCA and MWL and will continue to make a good faith effort in locating claimants prior to transferring funds. WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES The Department had not implemented adequate internal controls related to cybersecurity programs, practices and control of confidential information. During our examination of the Department’s cybersecurity program, practices, and control of confidential information, we noted the Department had not: • Developed a formal, comprehensive, adequate and communicated security program (including policies, procedures, and processes as well as clearly defined responsibilities over the security of computer programs and data) to manage and monitor the regulatory, legal, environmental and operation requirements. • Established a risk management methodology or performed a comprehensive risk assessment to identify and ensure adequate protection of information (i.e. confidential or personal information) most susceptible to attack. • Classified its data to identify and ensure adequate protection of information. • Evaluated and implemented appropriate controls to reduce the risk of attack. • Implemented a formal policy to ensure all State-owned storage media was erased, wiped, sanitized or destroyed in accordance with the Data Security on State Computers Act. • Ensured annual security awareness training was completed for 3 of 175 (2%) employees. (Finding 8, pages 30-32) We recommended the Department work with the Department of Innovation and Technology to define roles and responsibilities related to cybersecurity control. In addition, we recommended the Department: • Develop a formal, comprehensive, adequate and communicated security program (including policies, procedures, and processes as well as clearly defined responsibilities over the security of computer programs and data) to manage and monitor the regulatory, legal, environmental and operation requirements. • Establish a risk management methodology and perform a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information. • Classify its data to establish the types of information most susceptible to attack to ensure adequate protection. • Evaluate and implement appropriate controls to reduce the risk of attack. • Develop policies and procedures to ensure all media is sanitized in accordance with the Data Security on State Computers Act (20 ILCS 450/20). • Ensure Security Awareness training is completed by employees annually. The Department accepted the recommendation and stated the Department plans to perform a risk assessment after initial plans and procedures are completed to document and classify data across the Department. While this is occurring, the Department also stated they will be revising draft policies and procedures to provide stronger protection over storage of media and confidential information. Employees will be reminded of their training obligations and tracking tools will be used to identify which employees still need to complete training. OTHER FINDINGS The remaining findings pertain to state property control weaknesses; inadequate control over personal services; noncompliance with the Project Labor Agreements Act, the Employee Classification Act, and the Fiscal Control and Internal Auditing Act; lack of disaster contingency planning and controls for service providers; and weaknesses in change management of computer systems and information technology access. We will review the Department’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Department for the two years ended June 30, 2021, as required by the Illinois State Auditing Act. Because of the effect of noncompliance described in Findings 2021-001 through 2021-006, the accountants stated the Office did not materially comply with the requirements described in the report. This State compliance examination was conducted by West & Company, LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:mrk