REPORT DIGEST ILLINOIS DEPARTMENT OF REVENUE Financial Audit for the Year Ended June 30, 2014, Compliance Examination for the Two Years Ended June 30, 2014 Release Date: May 28, 2015 FINDINGS THIS AUDIT: 14 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 1 -- 1 Category 2: 5 -- 8 -- 13 Category 3: 0 -- 0 -- 0 TOTAL: 5 -- 9 -- 14 FINDINGS LAST AUDIT: 21 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General WILLIAM G. HOLLAND, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (14-1) The Department’s initial year-end financial reporting in accordance with generally accepted accounting principles to the Illinois Office of the Comptroller contained inaccuracies. • (14-2) The Department has not completely implemented controls and safeguards over processing taxpayer information. • (14-3) Auditors noted weaknesses in the Department’s internal control over the deposit, allocation, and distribution of receipts from sales and use taxes (Retailers’ Occupation Tax or ROT). • (14-4) The Department continued to lack adequate security controls over the GenTax (State of Illinois enterprise wide tax system) system and data. • (14-6) The Department continued to have inadequate planning or testing for the recovery of its applications or data. • (14-8) The Department’s Office of Internal Audit did not comply with the Fiscal Control and Internal Auditing Act. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS INACCURACIES IN THE DEPARTMENT’S YEAR-END FINANCIAL REPORTING PROCESS During the audit of the Department’s June 30, 2014 financial statements, the auditors noted errors regarding the reporting of financial information. Some of the errors identified are as follows: • During the audit, the Department identified a reciprocal agreement with another state that was not being properly recorded in its financial statements. The Department received a check from the other state in December 2013 for the 2012 tax year. The taxes receivable and unavailable revenue in the General Fund and the taxes receivable and income tax revenues in the governmental activities were understated in the prior year for the amount of the December 2013 check and the estimate of income taxes to be received relating to January through June 2013 totaling $122 million. The Department reported a restatement to the government-wide beginning net position for the understatement of taxes receivable. As the Department also received a check in December 2014, the Department notified the Illinois Office of the Comptroller and requested journal entries to be made to three of the Department’s closed Generally Accepted Accounting Principles (GAAP) Reporting Packages for the total amount of $122 million. • Department personnel stated the annual cash transaction never came to the attention of the Financial Control Bureau because the reciprocal state payment was processed as a timely filed current year income tax in December of each year. • During the audit, it was noted the Department did not update the percentages used to properly allocate the corporate income tax activity between corporate income tax and personal property replacement tax for year-end adjustments to taxes receivable and unearned revenue for fiscal years 2013 and 2014. Therefore, in fiscal year 2013 the General Fund taxes receivable balance was overstated by $1.5 million and the unearned revenue was understated by $24 million for a total overstatement of income tax revenue of $25.5 million. In fiscal year 2013, the Personal Property Tax Replacement Fund taxes receivable balance was understated by $1.5 million and the unearned revenue was overstated by $24 million for a total understatement of income tax revenue of $25.5 million. The Department reported a restatement to the General Fund and the Personal Property Tax Replacement Fund beginning fund balances for the misstatement in income tax revenue in the prior year. In fiscal year 2014, the General Fund taxes receivable balance was understated by $2.8 million and the unearned revenue was understated by $27.7 million for a net overstatement of income tax revenue of $24.9 million. In fiscal year 2014, the Personal Property Tax Replacement Fund taxes receivable balance was overstated by $2.8 million and the unearned revenue was overstated by $27.7 million for a net understatement of income tax revenue of $24.9 million. The Department adjusted three fund GAAP Reporting forms and included the updated balances in the financial statements. Department personnel stated the error in the percentages used was due to percentages not being properly updated in spreadsheets used to calculate the year-end adjustments during the GAAP Package preparation process. • Auditors noted errors in the Department’s calculation of transfers from the General Revenue Fund to the Local Government Distributive Fund during the fiscal year. During the May 2014 transfer calculation, the individual income tax and the business income taxes were transposed overstating the transfer to the Local Government Distributive Fund by $14.6 million. During the July 2014 transfer calculation the receipts transferred from the Protest Fund was misstated which understated the transfer by $106 thousand. Therefore, the transfers from the General Revenue Fund to the Local Government Distributive Fund were overstated by $14.5 million in fiscal year 2014. The misstatement was not considered material at the fund level by the Department and the financial statements were not corrected as of June 30, 2014. However, the Department indicated the overstatement was corrected in the transfers from the General Revenue Fund to the Local Government Distributive Fund in January 2015. Department personnel stated the error in the transfer calculations was the result of human error. As a result of the exceptions noted in the finding, the initial GAAP Reporting Packages submitted to the Office of the Comptroller were misstated. In addition, the exceptions noted have the potential to misstate the Department’s financial statements. Accurate preparation of the Department’s financial information for GAAP and financial reporting purposes is important due to the impact adjustments have on the Statewide financial statements. (Finding 1, pages 16- 21) This finding has been repeated since 2012. We recommended the Department take steps to improve the review process of the underlying data that helps compile the financial statements. In addition, the Department should work with the appropriate parties to establish an accounting / financial reporting system that is integrated with its operational systems to: 1) reduce errors associated with manual intervention in converting data; and 2) improving upon the timeliness in preparing and reporting required financial information. Department management agrees that it should always be taking steps to improve the financial reporting process and the underlying data used to compile the financial statements. The Department recognizes that human error will always be inherent in manual compilation processes and strives to allocate significant resources for the review of financial data in the short time allowed for GAAP financial reporting deadlines. The Department is currently working to convert an antiquated receipt and fund deposit allocation system from DOS databases and spreadsheets to a GenTax general ledger module. While this is not a full, integrated general ledger needed to calculate and prepare all information for GAAP reporting, this will reduce some of the manual calculation/transposition errors. The Department will continue to work with the Governor’s Office and Illinois Office of the Comptroller to implement a statewide, integrated general ledger system which will further assist in eliminating many manual calculation errors. (For the previous Department response, see Digest Footnote #1) CONTROLS AND SAFEGUARDS OVER THE PROCESSING OF TAXPAYER INFORMATION During testing auditors noted instances in which the Department's internal controls to protect taxpayer information contained weaknesses in certain physical safeguards to control access to areas within the Department as well as the storage of taxpayer information. Department staff confirmed to the auditors they were not aware of any specific instances of loss of confidential information due to the identified weaknesses in physical safeguards. Department personnel stated they continue to make improvements over the areas of protection of taxpayer records. In addition, it was noted they are working with recommendations from their Security Consultant to enact the recommendations as funding becomes available. The Department has the responsibility to ensure only authorized individuals have access to taxpayer information and taxpayer payments. Failure to completely implement controls and safeguards could result in taxpayer identity theft or unintended use and the misappropriation of taxpayer payments. (Finding 2, pages 22-23) This finding has been repeated since 2010. We recommended the Department ensure taxpayer information is adequately protected during both business and non-business hours from potential unauthorized access as mandated by State statute and IRS Publication 1075. Department management accepted the recommendation and indicated safeguarding taxpayer information is one of the Department’s highest priorities. The Department continues to implement compensating controls designed to restrict access to its facilities and taxpayer information. The Department continues to improve in its compliance with State statutes and the IRS Publication 1075. (For the previous Department response, see Digest Footnote #2) WEAKNESSES IN CONTROLS OVER SALES AND USE TAX RECEIPTS The Department’s receipt allocation process is a manual paper process involving data amassed from several sources with complex calculations on multiple spreadsheets. It relies on interaction between various areas within the Department that are responsible for portions of the Retailers’ Occupation Tax (ROT) deposit and allocation process. The source data needed for the process is partially obtained by two different divisions within the Department and from records from the Office of the State Comptroller. The structure creates additional risk of error and miscommunication. As cash is collected daily, the Department allocates 98% of receipts to various State and local government funds based upon a biannual estimate. For the remaining 2% of receipts, the Department sets aside these collections (2% reserve) in order to have sufficient funds to “true-up” the various local government funds once the ROT returns are perfected and the correct/final local government allocations are known. As a result of these limitations, the cash receipts and revenue associated with unperfected returns from the 2% reserve are generally recorded in the State’s General Fund. Upon perfecting the returns, cash allocations to other governmental and fiduciary funds will be required and could be material. Further, due to the current cash allocation process limiting the accuracy of each individual fund’s cash balance at a point in time, it also limits the State Treasurer’s ability to accurately allocate interest due to various local government funds. The weaknesses noted in the receipt allocation process, particularly with a manual paper process involving data amassed from several sources with complex calculations on multiple spreadsheets, can result in deposit errors in the State Treasury as well as errors in information used for Statewide financial reporting. (Finding 3, pages 24-25) This finding has been repeated since 2011. We recommended the Department integrate the applicable systems from the various areas to reconcile detail return information with deposit information to reduce the reliance on staff to perform the complex calculations on multiple spreadsheets. Department management accepted the recommendation and stated that the Department is working on enhancements to GenTax which will automate and consolidate this reconciliation process. These enhancements will significantly reduce the reliance on manual workpapers. (For the previous Department response, see Digest Footnote #3) INADEQUATE SECURITY CONTROLS OVER GENTAX The Department utilizes GenTax to carry out its mission as “chief tax collector for the State of Illinois.” GenTax maintains confidential and personal information on all individuals who pay taxes to the State of Illinois. During the current examination testing, the auditors noted: • The Department did not have a documented process for the administration of access rights. • Access rights for individuals who separated employment from the Department were not always timely deactivated. Auditors noted 9 (43%) of 21 separated individuals tested were deactivated from 9 to 969 days after separation. • For 4 (13%) of 32 individuals with access to GenTax, the Department did not provide documentation to support the required background checks had been completed. Additionally, 3 of these 4 individuals had administrative access right to the computer servers in which the GenTax System and data reside. • The Department could not provide an explanation as to why 29 (88%) of 33 individuals had access to GenTax and data. • The Department could not provide documentation authorizing 4 (24%) of 17 individuals access to GenTax. Department management stated the Department has a process for administration of access rights and deactivation of access to GenTax, but that process is not formally documented. The Department has the responsibility to ensure only authorized individuals have access to taxpayer information. Failure to establish adequate security controls could result in taxpayer identity theft or unintended use. (Finding 4, pages 26-27) This finding has been repeated since 2010. We recommended that the Department should establish a documented process over the administration of GenTax users. Additionally, the Department should maintain documentation of the authorization of access, periodically review the access rights of all users, and timely deactivate separated employee accounts. In addition, we also recommended the Department should ensure required background checks are properly and timely completed, including those for individuals with access to GenTax. Department management accepted the recommendation and indicated they will develop and document procedures governing access rights to GenTax and other systems. (For the previous Department response, see Digest Footnote #4) LACK OF DISASTER CONTINGENCY PLANNING OR TESTING The Department carries out its mission as the “chief tax collector” for the State of Illinois through the use of Information Technology. The Department is reliant upon approximately 111 applications in order to support their mission. The Department’s disaster contingency plans had not been updated and had not been tested to ensure timely recovery of applications and data. In 2006, the Department contracted with a vendor for the development of the enterprise wide tax system (GenTax). As part of the contract, the vendor was to develop a disaster contingency plan. However, such a plan still has not been developed. During fiscal year 2014, approximately 12.5 million taxpayer returns had been processed through GenTax. Department personnel stated the applications and data are housed and maintained by the Department of Central Management Services (CMS). Despite ongoing efforts, CMS has not provided the Department with the necessary recovery capabilities to allow it to finalize its disaster recovery plan. The lack of an adequate and tested disaster contingency plan leaves the Department exposed to the possibility of major disruptions of services. A comprehensive test of the plan across all platforms utilized will assist management in identifying weaknesses to ensure recovery procedures are adequate in the event of a disaster. (Finding 6, page 30) This finding has been repeated since 2006. We recommended that the Department should upgrade the contingency plans to address the current environment, including the enterprise wide tax system (GenTax). The Department should also ensure the contingency plans include details specific to the recovery applications and data. In addition, the contingency plans should be tested on an annual basis and continually updated to reflect environmental changes and improvements identified from tests. Department management accepted the recommendation and stated they are working with CMS to update the Disaster Recovery Plan and perform a disaster recovery test. (For the previous Department response, see Digest Footnote #5) NONCOMPLIANCE WITH THE FISCAL CONTROL AND INTERNAL AUDITING ACT Based on auditor testing, the Department’s Office of Internal Audit (OIA) did not meet the Fiscal Control and Internal Auditing Act (Act) (FCIAA) coverage for the two year examination period. The Department has recognized and documented in their fiscal year 2013 and fiscal year 2014 Annual Reports that they do not have adequate staffing levels within the OIA to perform the work to be in compliance with the Act. The OIA Audit Plan for fiscal year 2013 identified 11 high risk audits and projects to be performed during the fiscal year. OIA postponed 4 and cancelled 1 of these, representing 36% of the original budgeted hours scheduled to be performed during fiscal year 2013. Three additional audits and projects were added to the plan during the year, of which 1 was subsequently postponed. The 2 remaining additions replaced 13% of the budgeted hours not used in the original plan. The OIA Audit Plan for fiscal year 2014 identified 8 high risk audits and projects to be performed during the fiscal year. OIA postponed 2 of these, representing 38% of the original budgeted hours scheduled to be performed during fiscal year 2014. Nine additional audits and projects were added to the plan during the year; however, OIA does not have documentation of the effort and resources utilized to complete these audits and projects. Furthermore, documentation could not be provided on how the Audit Plan was developed and how the initial population of audits were identified in relation to a risk assessment matrix prepared by the Department. Incomplete auditing of all major systems of internal accounting and administrative control increases the risk that significant internal control weaknesses will exist and errors and irregularities may go undetected. (Finding 8, pages 34-35) We recommended the Department devote sufficient resources to develop an effective internal audit program such that all planned audits are performed within the designated time period in accordance with the Act. Department management accepted the recommendation and indicated they will strive to develop an effective internal audit program in full compliance with the Fiscal Control and Internal Auditing Act. OTHER FINDINGS The remaining findings are reportedly being given attention by the Department. Auditors will review the Department’s progress towards the implementation of all the recommendations in the next engagement. AUDITOR’S OPINION The auditors stated the basic financial statements of the Department as of and for the year ended June 30, 2014 were fairly presented in all material respects. STATE COMPLIANCE EXAMINATION - ACCOUNTANT’S REPORT The auditors qualified their report on State Compliance for finding 2014-001. Except for the noncompliance described in these findings, the auditors state the Department complied, in all material respects, with the requirements described in the report. WILLIAM G. HOLLAND Auditor General WGH:RPU SPECIAL ASSISTANT AUDITORS Sikich LLP were our Special Assistant Auditors for this engagement. DIGEST FOOTNOTES #1 - INACCURACIES IN THE DEPARTMENT’S YEAR- END FINANCIAL REPORTING PROCESS 2013: The Department agrees that it should always be taking steps to improve the financial reporting process and the underlying data used to compile the financial statements. The Department recognized that human errors occurred during the process of preparing the financial statements. There are a number of complex calculations and adjustments that require manual intervention or changes to properly process data. Enhancements continue to be made to reduce manual processes and improve upon the review process. The Department takes great pride in the high level of system testing, reviews, and year- end financial reporting work that it performs in order to produce materially correct financial statements for GAAP reporting purposes during a short window of time. Materiality is considered not only in relation to the nearly $41 billion in total taxes collected and $1.5 billion in net taxes receivable, but also at the individual fund level. Any material adjustments were completed at the fund level. The Notice of Deficiency issue was accurate at the time the financial statements were prepared, but was cancelled upon receiving additional taxpayer information. It is important to note that perfected sales taxes were correctly distributed to local governments. #2 - CONTROLS AND SAFEGUARDS OVER THE PROCESSING OF TAXPAYER INFORMATION 2013: The Department agrees with the importance of safeguarding physical taxpayer information and continues to implement compensating controls that limit/restrict access to it in our building. The agency has relocated non-IDOR employees to public areas. We also have implemented improved controls to help prevent recurrence of the kind of incident referenced in the second bullet point. As funding is available, IDOR continues to implement other physical controls that are consistent with the two- barrier security plan. As new threats to security emerge, the effort to make improvements evolves to meet them. It should be noted that no state meets all the requirements of publication 1075. The IRS expects to see continuous improvements and the Department has ongoing discussions with the IRS to ensure that we are meeting its expectations regarding safeguarding data. #3 - WEAKNESSES IN CONTROLS OVER SALES AND USE TAX RECEIPTS 2013: We agree with the recommendation. Using historical averages and the monthly true-up process described in this finding is the best available means to allocate receipts until returns are perfected. It is important to note that this longstanding methodology has resulted in accurate distributions to local governments as returns are perfected and the needed cash being available in all funds to support these distributions. The Department is planning enhancements to GenTax, which include rewriting the Consolidated Accounting System and developing a general ledger system for reconciling detail return information with deposit information. #4 - INADEQUATE SECURITY CONTROLS OVER GENTAX 2012: The Department agrees with the recommendations and has taken steps to improve our information security. We established and hired a Chief Information Security Officer (CISO) in March 2012 and established the Information Security Office. This Office is in the process of implementing a comprehensive Information Security Policy, which will include supporting standards and procedures for the Agency’s computing environment and will specifically address Access Control. In addition, the CISO has been working with the IRS Safeguards Program to address open issues as required by Publication 1075. The IRS certified our most recent Safeguard Procedures Report on November 29, 2012 stating “We are accepting this report as certification that the confidentiality of Federal tax information (FTI) is adequately protected.” The Department is one of the only a few states that have received the verification of improvement in safeguarding procedures from the IRS. The following addresses the bullets presented by the auditors. • Bullet 1 - Although the process was not contained in a formal written document, the Department has had a process for administering access rights to the network and systems. The auditors presented no evidence of unauthorized access to the tax system. • Bullet 3 - The Department practice is to perform background checks on all IDOR employees and only DCMS employees who have access rights to the servers. The issue noted in this bullet point concerns long- term employees (over 7 years of state service) where the paperwork documenting the background checks had been destroyed in accordance with the record retention policy of Internal Affairs. Internal Affair’s policy is to destroy documentation on all background checks after 7 years and there is no statutory requirement to permanently keep these documents, as they contain highly personal confidential information. • Bullet 4 - The Department completed the initial GenTax access review. The process was begun during the audit period and this periodic review will be done on at least an annual basis going forward. #5 - LACK OF DISASTER CONTINGENCY PLANNING OR TESTING 2012: The Department agrees with the recommendation and continues to support the re-engineering of the business Continuity Plan in specific Disaster Recovery Plans for critical applications. The Department opened a formal charter in December 2011 with CMS, the agency that handles infrastructure (including operational software), communications, and managed services such as backup and file or server restoration. The Department has defined our critical applications and data to CMS. however, to date CMS has not provided infrastructure recovery capabilities and the needed support in order for the Department to complete recovery plans. It should be noted that the Department has a detailed COOP (Continuity of Operations Plan) that would allow the Department to commence and continue operations following a prolonged impairment to our systems. Although, the Department might not be able to record transactions until the systems are restored, many of the revenue generating operations that support the State financially could be continued. For example, operational tasks such as accepting payments and depositing funds would continue.