REPORT DIGEST ILLINOIS DEPARTMENT OF PUBLIC HEALTH COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2015 Release Date: May 12, 2016 FINDINGS THIS AUDIT: 24 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 5 -- 5 Category 2: 8 -- 11 -- 19 Category 3: 0 -- 0 -- 0 TOTAL: 8 – 16 -- 24 FINDINGS LAST AUDIT: 19 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (15-01) The Department lacked adequate administration and monitoring over awards and grants programs. • (15-02) The Department did not ensure complete and accurate commodity inventory balances. • (15-03) The Department was unable to locate 65 computers, some of which may have contained confidential information. • (15-06) Internal audits and a peer review of internal audit responsibilities were not completed. • (15-18) Adequate controls were not maintained over the administration of State vehicles. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INADEQUATE ADMINISTRATION OF AWARDS AND GRANTS PROGRAMS The Department did not adequately administer and monitor its awards and grants programs. The Department expended over $488 million (56%) of its total expenditures for awards and grants. We sampled thirty grant programs from six offices and noted the following weaknesses: • The Department did not have written procedures to uniformly guide the administration of awards and grants. • The Department had not established administrative rules for grants. • The Department had not developed a standardized methodology, formal criteria, or mandatory site visits for monitoring grantees. • Audited financial statements were not submitted or reviewed for 77% of grantees tested, which received over $40 million in grants. • The Department did not sufficiently document its review and receipt of grant reports. (Finding 1, pages 15-19) This finding has been repeated since 2007. We recommended the Department develop and enforce a comprehensive grant administration program that includes the use of Government Accountability and Transparency Act (GATA) rules for grants and development and implementation of written procedures over the awarding and monitoring of all of the Department’s grant awards; reviewing the programmatic and financial reports of grant recipients; developing a method to document grant monitoring; use of grantee site visits; and considering a risk-based methodology for grantee monitoring, including on-site reviews of higher risk grantees. Department officials concurred with the finding and responded that a grants manual will be developed to support GATA implementation. Officials further stated they will evaluate the need for additional rules, and ensure the grant administration program includes risk assessment, monitoring, report review, and site visits. (For the previous Department response, see digest footnote #1.) WEAKNESSES IN CONTROLS OVER INVENTORY The Department did not conduct complete physical inventories and ensure the accuracy of fiscal year-end commodities inventory balances. The Department understated media inventory balances by $77,799 and overstated the balances of other inventory supplies by $161,880. In addition, year-end balances omitted inventory from eleven programs or divisions and 5% of commodities inspected, and omitted cost data for 5% of commodities tested. The dollar amount of these understatements could not be determined. The misstated balances were reported to the Illinois Office of the Comptroller in year-end financial reporting packages. (Finding 2, pages 20-21) We recommended the Department strengthen internal controls over physical inventories to ensure its fiscal year-end inventory balances are accurate and complete. Department officials concurred with the finding and stated large discrepancies between current and prior year inventory counts will be investigated and one division is working on solutions to better track laboratory inventories. INADEQUATE CONTROLS OVER COMPUTER INVENTORY The Department was not able to locate 65 computers during fiscal years 2014 and 2015, some of which may have contained confidential information. The Department reported missing computer inventory in fiscal year 2014 and 2015 totaling $76,435, which included 38 desktop and 27 laptop computers. The Department did not perform a detailed assessment to determine whether the missing computers contained confidential information. Further, the Department had not protected all of its computers with encryption software and had no internal process to clear data from computers before transfer, thus increasing the risk that confidential or personal information could be exposed. Due to management changes and lack of turnover of documents and communication, it could not be determined if the Department performed an assessment of computer inventory in 2013 as indicated in the prior finding response. Department officials stated encryption software was not installed on older computers due to insufficient processing power. (Finding 3, pages 22-25) This finding has been repeated since 2011. We recommended the Department immediately perform a detailed inventory of computer equipment and review current practices to determine if enhancements can be implemented to prevent the theft or loss of computers. We also recommended the Department establish procedures to immediately assess and document if a computer may have contained confidential information whenever it is reported lost or stolen. Department officials concurred with the finding and stated corrective actions will be taken. (For the previous Department response, see digest footnote #2.) INTERNAL AUDITS AND PEER REVIEW NOT CONDUCTED The Department’s Internal Audit division did not complete most planned audits, one annual internal audit report, or a peer review. We noted: • 94% planned audits and reviews were not completed. • No audits were completed relating to internal accounting and administrative controls. • No annual internal audit report was submitted for Fiscal Year 2014. • The Internal Audit Division did not undergo a peer review within five years of assuming audit responsibilities as required by professional standards. (Finding 6, pages 34-36) We recommended the Department audit major internal accounting and administrative control systems at least biennially, prepare annual internal audit reports, and arrange for an external assessment of internal audit activity. Department officials concurred with the finding and stated they will work to complete planned audits, submit required reports, and complete a peer review. INADEQUATE CONTROLS OVER THE ADMINISTRATION OF STATE VEHICLES The Department did not have adequate controls over reporting of vehicle accidents, fringe benefits for personal use of State vehicles, changes to vehicle assignments, maintaining vehicle records, or obtaining annual certifications of license and vehicle liability coverage. (Finding 18, pages 63-69) This finding has been repeated since 2007. We recommended the Department: • Designate and train sufficient staff; • Monitor submission of accident reports; • Enforce vehicle maintenance schedules; • Ensure proper reporting of fringe benefits; • Review and enforce procedures over timely filing of annual license and liability insurance certifications; and • Remind staff and monitor to ensure timely reporting. Department officials concurred with the finding and detailed changes they are implementing as a result. (For the previous Department response, see digest footnote #3.) OTHER FINDINGS The remaining findings are reportedly being given attention by the Department. We will review the Department’s progress toward the implementation of our recommendations during our next examination. ACCOUNTANT’S REPORT The accountants conducted a compliance examination of the Department for the two years ended June 30, 2015, as required by the Illinois State Auditing Act. The auditors qualified their report on State Compliance for findings 2015-001, 2015-002, 2015-003, 2015-006 and 2015-018. Except for the noncompliance described in these findings, the auditors state the Department complied, in all material respects, with the requirements described in the report. FRANK J. MAUTINO Auditor General FJM:lkw SPECIAL ASSISTANT AUDITORS Our Special Assistant Auditors for this examination were E.C. Ortiz & Co., LLP. DIGEST FOOTNOTES #1 - Inadequate administration of awards and grants programs - Previous Department Response. 2013: The Department concurs in the finding and recommendation. Prior to, during, and since the audit compliance period, the Department has been working to address these areas of concern. Prior to the audit period, the Department successfully standardized its grant request for applications forms (RFAs) and corresponding agreements across all agency programs into a more streamlined format. Additionally, the Department established a centralized Grants Review Committee (GRC), and implemented a GRC Grant Program Review Form to catalog and evaluate how the process by which grant programs were administered, i.e. competitive vs. non- competitive, fee for service, directed appropriation, etc. Finally, the Department began the process of drafting both an Agency wide Grants Review Manual and Grant Administration Rules during the compliance period, but was unable to finalize/implement either of those guidance documents. During the Audit compliance review period, the Department was able to procure and begin implementing an agency wide electronic Grants Administration and Management System (eGrAMS), to manage, monitor, and evaluate the entire life cycle of the grants administration process. To support the implementation and ongoing management of this system across all agency grant programs (approx 100 grant programs), the Department was also able to establish a centralized Grants Management Unit (GMU), within the Office of Performance Management (OPM). This Unit is currently comprised of a Division Chief for Grants Management, 4 grants administrators, and 3 grant monitors that are all independent of any Office’s program staff/reporting structure. The grant administrators provide technical assistance and guidance to program staff for the publishing of any agency grant RFAs, and the grant monitors provide an extra layer of oversight into any potential areas of concern related to grant program funds throughout the agency. Although the Department only had 1 grant program go live through eGrAMS by the time of the auditor’s assessment, the Grants Management Unit has since successfully published 38 grant RFAs through the new system. Due to turnover of key implementation staff, several of the above efforts have been delayed. Specifically, the Grants Review Manual and corresponding Grants Administration Rules have undergone numerous revisions and iterations by staff who were hired and subsequently left the agency during the compliance period. Additionally, the recent procurement and implementation of eGrAMS has necessitated the need to revise these documents to accommodate for both its reference, as well as the improved business processes that have been made possible by utilizing such technology. These two documents are currently being updated but have not been finalized and disseminated to all grant program staff. Lastly, with the rapid movement of HB 3820 through the legislative process (Grants Accountability and Transparency Act) it will also be necessary to sync our grants review process and procedures with any new requirements mandated by this statewide effort through the Governor’s Office of Management and Budget. #2 - Inadequate Controls over Computer Inventory 2013: The Department concurs in the finding and recommendation. As of December of 2013, the Department completed an assessment of computer equipment inventory. This assessment documented what computer equipment was assigned to which employees. This assessment also documented what operating system is installed on each computer. With this new information, the Department can determine if any lost or stolen computers were protected with full disk encryption. Processes will be put in place and communication to employees on how to properly report lost or stolen computer equipment. Processes will also be created to better track computer equipment that is sent to surplus and transferred between program areas within the Department. #3 - Inadequate Controls over the Administration of Vehicles 2013: The Department concurs in the finding and recommendation. To ensure full compliance, all full and part-time employees of the Department, public members, whether salaried or unsalaried of State Boards, Commissions, and Authorities will complete a vehicle insurance liability certification form. Additionally, each new employee upon hire, must sign a vehicle insurance certification form as a part of a condition of employment. Further, the form has been redesigned to incorporate the language found in Section 7-203 of the Vehicle Code. The Agency Travel Coordinator will periodically review the Department’s documentation in comparison with the new hires, board members, interns and persons assigned vehicles to ensure full compliance.