REPORT DIGEST ILLINOIS DEPARTMENT OF REVENUE FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2016 COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2016 Release Date: April 20, 2017 FINDINGS THIS AUDIT: 10 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 4 -- 5 -- 9 Category 3: 0 -- 0 -- 0 TOTAL: 5 -- 5 -- 10 FINDINGS LAST AUDIT: 14 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (16-1) The Department failed to implement adequate change management, disaster recovery, and security controls over the enterprise wide tax system (GenTax). • (16-2) The Department had weaknesses with the controls over the project management of the enterprise wide tax system (GenTax). • (16-3) The Department has not completely implemented controls and safeguards over processing taxpayer information. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF CONTROLS OVER GENTAX The Department failed to implement adequate change management, disaster recovery, and security controls over the enterprise wide tax system (GenTax). During testing, some of the items the auditors noted were as follows: • The Department did not have a formal change management standard in place until April 2016 to control the change process over GenTax. • The Department had not developed a disaster recovery plan and had not conducted testing to ensure GenTax or the ancillary applications and data could be timely restored. • The Department had not developed an access control policy rights to GenTax. (Finding 1, pages 14-15) We recommended the Department establish and maintain adequate controls over the security, availability, integrity, and confidentiality of GenTax data. The Department agreed with the recommendation and stated the change management process implemented in April 2016 is being followed. The Department is actively working with the Illinois Department of Innovation and Technology to conduct disaster recovery testing in order to gain assurance that it could recover in the event of a disaster. The Department published an Access Control Procedure Manual effective November 2016. WEAKNESSES IN PROJECT MANAGEMENT OF GENTAX The Department had weaknesses with the controls over the project management of the enterprise wide tax system (GenTax). During the examination period, the Department continued Gentax’s expansion, which included Rollout 5 and replacing the Department’s legacy Consolidated Accounting System with the GenTax General Ledger. During testing, the auditors noted the following: • The vendor’s contract deliverables were not always approved by the Department or were approved after Rollout 5 or the General Ledger went into production. • Testing scripts did not always provide detail as to the actual testing performed and the testing scripts with identified problems did not contain documentation associated with the corrective action. (Finding 2, pages 16-17) We recommended the Department ensure the development process is adequately controlled and documented. The Department accepted the recommendation and stated revised procedures have been put in place to ensure documentation of all deliverable review and approvals are complete and sufficient. Department officials also stated system testing will be done using defined test cases with documented results and approvals. CONTROLS AND SAFEGUARDS OVER THE PROCESSING OF TAXPAYER INFORMATION The Department has not completely implemented controls and safeguards over processing taxpayer information. During testing, auditors noted instances in which the Department’s internal controls to protect taxpayer information contained weaknesses in certain physical safeguards to control access to areas within the Department as well as the storage of taxpayer information. Department staff confirmed to the auditors they were not aware of any specific instances of loss of confidential information due to the identified weaknesses in physical safeguards. (Finding 3, pages 18-19). This finding has been repeated since 2010. We recommended the Department ensure taxpayer information is adequately protected during both business and non- business hours from potential unauthorized access as mandated by State statute and IRS Publication 1075. The Department accepted the recommendation and stated funding has been appropriated and the Department is on target for a completion date within fiscal year 2018. (For the previous Department response, see Digest Footnote #1) OTHER FINDINGS The remaining findings are reportedly being given attention by the Department. We will review the Department’s progress towards the implementation of our recommendations in our next compliance examination. AUDITOR’S OPINION The auditors stated the financial statements of the Department as of and for the year ended June 30, 2016 are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Department for the two years ended June 30, 2016, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2016-001. Except for the noncompliance described in this finding, the accountants stated the Department complied, in all material respects, with the requirements described in the report. This financial audit and compliance examination was conducted by Sikich LLP. BRUCE L. BULLARD Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JVD:cc DIGEST FOOTNOTES #1 – CONTROLS AND SAFEGUARDS OVER THE PROCESSING OF TAXPAYER INFORMATION 2014: The Department accepts the recommendation. Safeguarding taxpayer information is one of the Department’s highest priorities. The Department continues to implement compensating controls designed to restrict access to its facilities and taxpayer information. The Department continues to improve in its compliance with State statutes and the IRS Publication 1075.