REPORT DIGEST

ILLINOIS STATE TOLL HIGHWAY AUTHORITY

FINANCIAL AND
COMPLIANCE AUDITS
For the Year Ended:
December 31, 1998

Summary of Findings:

Total this audit 10
Total last audit 6
Repeated from last audit 4

Release Date:
September 2, 1999

Logo.gif (1870 bytes)

State of Illinois
Office of the Auditor General

WILLIAM G. HOLLAND
AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General
Attn: Records Manager
Iles Park Plaza
740 E. Ash Street
Springfield, IL 62703
(217) 782-6046 or TDD (217) 524-4646
This Report Digest is also available on
the worldwide web at
http://www.state.il.us/auditor

SYNOPSIS

 

The Authority’s Computer Disaster Recovery Plan continued to be incomplete and did not insure that its data processing functions could be reasonably performed if an emergency occurred that rendered its computer center inoperable. The Authority relies on its computer operations to perform accounting and public safety functions. This finding has been repeated since 1987.

The Authority’s security over its local area network (LAN) and mainframe computer system continue to have weaknesses that require improvement. Inadequate security over its LAN has been a repeated finding since 1994.

The Authority did not follow the established internal audit procedures of obtaining responses to findings and participating in exit conferences for certain internal audit findings.

The Authority was forfeiting interest income by not investing I-pass deposits and prepayments in savings accounts that would produce interest income.


 

 

ILLINOIS STATE TOLL HIGHWAY AUTHORITY
FINANCIAL AND COMPLIANCE AUDITS
For The Year Ended December 31, 1998

FINANCIAL OPERATIONS (GAAP BASIS)

1998

1997

Operating Revenue

Tolls

Concessions

Other

Total Operating Revenue

Operating Expenses

Depreciation and Amortization

Services and Toll Collection

Insurance and Employee Benefits

Engineering and Maintenance of Roadway and Structures

Traffic Control, Safety Patrol, and Radio Communications

Administrative

Total Operating Expenses

$323,523,687

9,675,971

700,328

$333,899,986

 

$128,702,765

50,736,503

33,956,694

26,423,275

12,118,904

10,048,527

$261,986,668

$317,979,697

4,386,576

1,090,143

$323,456,416

 

$125,724,621

50,319,415

31,600,316

26,223,950

12,594,238

9,810,964

$256,273,504

SIGNIFICANT ACCOUNT BALANCES

December 31, 1998

December 31, 1997

Cash (Unrestricted)

Cash (Restricted)

Accounts Receivable (net)

Investments (Restricted)

Property, Plant and Equipment

Revenue Bonds Payable

$288,458,124

$18,963,856

$9,066,908

$171,489,067

$1,829,568,196

$933,718,709

$321,318,207

$27,738,127

$7,398,538

$173,795,533

$1,724,808,729

$930,850,000

AGENCY DIRECTORS
During Audit Period: Mr. Ralph C. Wehner
Currently: Mr. Ralph C. Wehner



 

 



Computer Disaster Recovery Plan did not insure accounting and public safety functions could be performed






 



 

 

 

 

 

 


Virtually all information, whether it was confidential or not, was accessible through the Authority’s local area network

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Internal audit findings may not be corrected if responses are not obtained and exit conferences are not conducted

 

 

 


The Authority lost an estimated $225,888 in interest income

 

INTRODUCTION

These reports represent the results of our financial and compliance audit for the year ending December 31, 1998.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INCOMPLETE DISASTER CONTINGENCY PLAN

The Authority’s Computer Disaster Recovery Plan (Plan) continued to be incomplete and did not insure that its data processing functions could be reasonably performed if an emergency occurred that rendered its computer center inoperable. The Authority relies on its computer operations to perform accounting and public safety functions.

The Authority contracted with a computer-consulting firm to develop an updated disaster recovery plan. The Authority indicated it intends to use the plan as a guide to develop its own plan. According to Authority personnel, progress on the plan has been limited due to other priorities and limited resources.

An adequate Plan should minimize the interruption of operations and loss of critical information in the event of a disaster. Without a detailed Plan, it would be difficult for the Authority to insure that it can perform the Authority’s vital operations in the event of an emergency. (Finding 98-1, pages 12-13)

We recommended the Authority management promptly complete the details of the Plan. Once the Plan is completed, responsibilities to test and update the Plan on a periodic basis should be assigned to Authority personnel to insure that the Plan is effective. An on-going commitment to test and update the Plan will be essential to its success. This finding has been repeated since 1987.

The Authority responded that it is in agreement and fully recognizes the need for Disaster Recovery Planning. Officials said supplemental contingency plans are currently being developed internally and are expected to be complete by October 31, 1999. (For previous Agency responses, see Digest Footnote #1.)

INADEQUATE COMPUTER SECURITY

The Authority’s security over its local area network (LAN) and its’ mainframe computer system continues to have weaknesses that require improvement.

Virtually all information, whether it was confidential or not, was accessible through the Authority’s LAN. The LAN also provides the entry path to the mainframe system.

Some common security deficiencies that exist are:

Passwords were allowed to be the same as the user initials or the login ID.

Passwords are only changed every 90 days. (Findings 98-2 and 98-3, pages 14 – 17)

We recommended the Authority develop standards which minimize security risk through preventive measures, limit loss from unauthorized access, identify irregularities in a timely fashion and define and implement disciplinary action for violating security procedures. Inadequate securities over its LAN has been a repeated finding since 1994.

The Authority accepted our recommendation and stated it will develop and implement standards, controls, procedures and monitoring in connection with its Y2K compliance initiatives. (For previous Agency responses, see Digest Footnote #2.)

INTERNAL AUDIT PROCEDURES NOT FOLLOWED

The Authority did not follow the established procedures of obtaining responses to findings for internal audit Report #271, Operational and Contract Compliance Evaluation of Self Indemnity (Fee for Service) Health Benefits Program.

During this audit, findings were noted; however, responses were not obtained because the audit scope was not completed after access to records of the Third Party Administrator were denied. Authority Management stated it was satisfied that no financial loss occurred.

State statute requires the chief internal auditor to submit to the chief executive officer a written report detailing how the audit plan for the year was carried out, the significant findings, and the extent to which recommended changes were implemented. This audit was included in the annual report and contains 17 findings and recommendations. A number of the findings pertain to weaknesses in procedures and controls.

The internal audit findings may not be corrected if responses are not obtained and exit conferences are not conducted. (Finding 98-5, page 19)

The Authority responded that the findings were addressed when a contract was executed with the new third party administrator. They also said internal control changes would be reviewed in a follow-up audit.

LOST INTEREST ON I-PASS DEPOSITS

The Authority was not investing the I-Pass deposits and prepayments in interest yielding accounts until July 1998. From November 1993 to December 31, 1997, the Authority lost an estimated $142,010 in interest income. In 1998, the Authority lost an estimated $83,878 in interest income.

The Authority stated that it did not invest the deposits and prepayments based on the belief that interest on the security deposit for the transponder would have to be paid to the consumer. The costs to monitor the interest due to consumers would therefore more than offset the interest income.(Finding 98-6, pages 20 - 21)

The Authority did not provide any specific cite to support its belief and ultimately agreed to invest the deposits. We recommended continuing to invest the I-pass deposits and prepayments in interest yielding accounts.

OTHER FINDINGS

The remaining findings are of lesser significance and are being given attention by the Authority. We will review the Authority’s progress toward implementation of our recommendations in our next audit.

Nicholas W. Jannite, Chief of Finance, provided responses to our findings.

AUDITORS’ OPINION

Our auditors stated the Illinois State Toll Highway Authority’s December 31, 1998 financial statements are fairly presented.

____________________________________

WILLIAM G. HOLLAND, Auditor General

WGH:TEE:pp

SPECIAL ASSISTANT AUDITORS

Clifton Gunderson L.L.C. were our special assistant auditors for this engagement.

DIGEST FOOTNOTES

#1: INCOMPLETE DISASTER CONTINGENCY PLAN – Previous Agency Responses

1997: "The Disaster Contingency Plan has been completed with the help of a consultant. A copy of the plan has been submitted to the Auditor General’s Office and to their representative, Clifton Gunderson L.L.C. for comments. Once we receive any comments on the plan, the Authority will begin testing of the plan."

1996: "The Authority agrees that the completion of the formalization of its disaster recovery plan is a priority goal within the MIS Department. The Authority has contracted with an outside contractor to assist it in the review and completion of this plan. Procedures for periodic review and testing of the plan will be determined once the plan itself has been formalized. The Authority anticipates it will meet the recommendations of the auditors during calendar year 1997. While the creation of a secure site is still under consideration, no formal plans for contracts will be awarded in relation to this prior to the completion of the formal written disaster contingency plan. The Authority presently has an agreement with Unisys Corporation to provide off-site emergency services. The Authority has tested this contingency plan by running a test of its payroll system."

 

1995: "As indicated in last year’s responses, the Authority recognizes and agrees with the finding that we should be able to perform vital operations in the event of an emergency. Since the original finding appeared in 1987, the Authority has taken measures to improve the Computer Center environment, through the installation of physical safeguards. The Authority is currently negotiating the terms of an agreement with the mainframe manufacturer for the use of their facility as an alternate site. Additionally, the Authority is migrating the Toll Collection and Revenue Accounting System to the same environment. This migration will consolidate all critical mainframe applications onto a single hardware vendor. Therefore, the Authority continues to work toward completing a plan."

1994: "As indicated in last year’s responses, the Authority recognizes and agrees with the finding that we should be able to perform vital operations in the event of an emergency. Since the original finding appeared in 1987, the Authority has taken measures to improve the Computer Center environment, through the installation of physical safeguards, such as smoke detection, fire detection, uninterruptible power supplies and halon extinguishing system. By spring of 1995, the Authority will establish a committee to develop a business recovery plan."

1992: "The Authority recognizes and agrees with the audit finding that we should be able to perform vital operations in the event of an emergency. However, the Authority no longer supports the recommendation on how the plan should be structured or the minimal requirements of an alternate site for processing data. It is now our belief that this determination can best be made upon completion of a two (2) phase analysis of the risk, cost, and impact of a business recovery plan which will actually support the business continuity of the Authority.

The Authority has studied our requirements for the development of a Computer Disaster Recovery Plan over the course of several years. It is our belief that a Computer Disaster Recovery Plan would not guarantee our ability to sustain business operations or financial obligations in the event of a disaster unless such a disaster was contained within the Computer Center room itself. Because of the safeguards built into the Computer Center, such as smoke detection, water detection, uninterruptible power supplies and halon extinguishing system, the risk in losing computer resources contained in the room is minimal. However, there is a broader issue regarding continuity of operations if our administrative headquarters and/or any outlying plaza or maintenance facility are rendered inoperable. This realization caused the Authority to re-evaluate the objectives of disaster contingency and to focus on the necessity for business continuity planning. In recognition of the dynamic scope contained in this type of approach, the Authority plans to perform this project in phases over the course of the next several years. We have solicited and are reviewing proposals from two (2) major accounting firms for services to conduct the first two (2) phases of this project: Vulnerability/Risk Assessment and Business Impact Analysis. The time estimated to complete these phases ranges from four (4) to eight (8) months. We plan to receive board approval to begin this project in the second quarter of calendar year 1994."

1991: "With our relocation to a new facility, the Authority has incorporated a number of physical safeguards against data loss, such as uninterruptible power sources; has current plans showing the layout of equipment and cabling requirements; and has utilized off-site storage facilities. We anticipate reviewing a comprehensive disaster recovery plan within the year. We will continue with efforts to implement and maintain an adequate disaster recovery plan."

1990: "With our relocation to a new facility, the Authority has incorporated a number of physical safeguards against data loss, such as uninterruptible power sources. The Authority also has current plans showing the layout of equipment and cabling requirements and utilized off site storage facilities. We anticipate reviewing a comprehensive disaster contingency plan within the year. We will continue with efforts to implement and maintain an adequate disaster contingency plan."

1988: "It must be pointed out that even though the Computer Aided Dispatch is considered part of the Authority’s data processing organization, the ability to service patrons and provide law enforcement is never jeopardized. Reciprocal agreements already exist throughout all Illinois State Police Districts. District 15 coverage would be distributed across Districts 1, 2, 3, 4 and 5, respectively according to geographical location of a tollway incident. We also utilize CB radios in our maintenance operations.

In addition, all computerized systems have offsite storage of program software and documentation. A copy of the Disaster Recovery Plan is also stored offsite and reviewed every six months and updated when necessary. A proposal from an outside firm to design a contingency plan has been obtained and an agreement will be entered into in 1989. The Authority will continue with all efforts to develop an adequate disaster contingency plan."

1987: "The statement that "a more detailed plan has not been developed because there is not sufficient interest by the Authority in having an overall contingency plan" is not true. The finding also neglected to point out that the Authority has a written agreement with one vendor (UNISYS) for resource availability in the event of a disaster to the Authority’s financial system. While "alternate site processing" may be the best theoretical solution to the development of a disaster contingency plan, it is the most expensive and complex method of providing such a plan and may not be the most practical method for the Authority. The Authority does realize the importance of a disaster contingency plan. However, the complexity of the alternatives, including the one recommended in the finding, is such that all possible alternatives, taking into account current environment and future changes, must be thoroughly reviewed and evaluated. The Authority will initiate the procedure it deems best for the Authority as soon as the most appropriate plan is identified."

#2 INADEQUATE COMPUTER SECURITY – Previous Agency Responses

1997: "The Authority agrees in part with the recommendations.

Passwords are unique and a minimum of five (5) characters. The security software in use, however, does not compare login I.D. with the user’s password. New security software would have to be purchased in order to have this particular feature.

The Authority currently changes passwords every ninety (90) days with a maximum of five (5) grace logins. The Authority believes this is adequate to meet both security needs and to maintain user comfort with the network.

The Authority operates on a twenty-four (24) hour, seven (7) days a week basis. The Authority must provide reasonable and routine access to accounts during operating hours of the Tollway, which includes twenty-four (24) hour Police, plaza and maintenance operations. Time restrictions have been tested and resulted in numerous user complaints and created unnecessary administration burdens.

Security activity and violations will be logged quarterly."

1996: "The Authority agrees that network security should remain a high priority, and additional security measures should be implemented in an effort to continue to improve upon network security. Presently, all users have passwords, passwords are required to be five characters in length, and users are encouraged to use unique passwords. Our present policy of changing passwords every 90 days have proven to be adequate to both meet security needs, and to maintain user comfort with the network. The Authority is willing to consider a more frequent schedule of password changes if required. Account usage is presently reviewed using BindView, and inactive accounts are disabled after 21 days, since the first quarter of 1997 (a shorter time period than that recommended by the auditors). All users are presently allowed only a single network session. Access to programs is determined by each department based on each user’s job responsibilities. Additional security features are being investigated for implementation within the Authority, including replacement of the Cheyenne Backup system with a more secure password protected backup system. The MIS Department is presently seeking the participation of Authority system users in an evaluation of the impact which new security measures presently under consideration would have on users and their managers.

A number of management issues surrounding the installation and expansion of the Authority’s LAN/WAN created a temporary environment where select security features were temporarily overridden for managerial installation and testing needs. These procedures do not represent standard security procedures at the Authority."

1995: "The Authority accepts the value of the recommendations of the extensive Information Systems Audit performed by the Office of the Auditor General. The Authority has recently established a MIS Steering Committee. The initial task of this committee will be to establish guidelines for security of the LAN systems to be completed by the third quarter of 1996."

1994: "The Authority agrees with the Auditor General on the importance of a secure Local Area Network. The systems analysis software utilized by the Auditor General is a useful tool for monitoring the security of the system. The Authority will consider acquisition of the analysis software to assist in the monitoring of security features and the enhancement of the existing security structure to meet the Auditor General recommendations."