DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
BUREAU OF COMMUNICATION AND COMPUTER SERVICES
THIRD PARTY REVIEW
For the Year Ended: June 30, 2009
Release Date: July 8, 2009
State of Illinois Office of the Auditor General
WILLIAM G. HOLLAND, AUDITOR GENERAL
To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887
This Report Digest and Full Report are also available on the worldwide web at: www.auditor.illinois.gov
The Department of Central Management Services’ (Department)
Bureau of Communication and Computer Services carries out statutory
responsibilities relating to data processing and telecommunication services (20 ILCS 405/405-10; 20 ILCS 405/405-20; 20 ILCS
405/405-250; 20 ILCS 405/405-255; 20 ILCS 405/405-260; 20 ILCS 405/405-270 and
20 ILCS 405/405-410). To fulfill its
responsibilities, the Department operates the Central Computer Facility (CCF), the
The Department is mandated to manage or delegate the management of the procurement, retention, installation, maintenance, and operation of all electronic data processing equipment used by State agencies to achieve maximum economy consistent with development of adequate and timely information in a form suitable for management analysis, in a manner that provides for adequate security protection and back-up facilities for that equipment.
The Department functions as a service organization providing computing and telecommunication resources for State agencies’ use. The Department and the agencies that use the Department’s computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.
We reviewed data processing general controls at the Department primarily during the period from January 5, 2009 to May 26, 2009. We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary to evaluate the controls.
We also reviewed application controls for systems maintained by the Department for State agencies’ use. The systems reviewed were the Accounting Information, Central Payroll, Central Inventory, and Central Time and Attendance Systems.
ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
BUREAU OF COMMUNICATION AND COMPUTER SERVICES
4 Units Configured as 11 Production Systems and 6 Test Systems
1 Unit Configured as 5 Systems for Business Continuity
Impact Printing – 7.2 Million Lines per Month
Laser Printing – 14.5 Million Pages per Month
State Agency Users: 96
2006 — 777
2007 — 748
2008 — 708
2009 — 679
Historical Growth Trend (In the month of April for each year listed)
2006 — 3,217 — MIPS (Million Instructions per Second)
2007 — 3,962 — MIPS
2008 — 4,018 — MIPS
2009 — 4,035 — MIPS
Information provided by the Department – Unaudited
DEPARTMENT DIRECTOR AND DEPUTY DIRECTOR/BUREAU MANAGER
During Audit Period: Acting Director: Maureen O’Donnell (7/1/2008 to 8/24/2008)
Currently: Director: James Sledge (8/25/2008 to present)
During Audit Period and Current Deputy Director/Bureau Manager: Doug Kasamis
We identified one significant deficiency for which we could not obtain reasonable assurance over the controls.
Information Technology Billings
The Department billed user agencies for various services, based on utilizations and rates developed by the Department. However, based on inquiries and review of billing data, the Department had not implemented an adequate process/methodology to ensure the appropriateness of billings to agencies.
Billing invoices were the foundation for user agencies to make payments to the Department, including payments from the 11 agencies included in the consolidation of various functions of State government into the Department.
To ensure the accuracy of the billings, the Department should:
• Develop a process to ensure billings are appropriate and accurately reflect services rendered.
• Develop a formal methodology to clearly document the allocations of rates and charges to user agencies. (See page 6 for additional information)
The Department concurs with the Auditor’s recommendations. We are working to improve our billing processes and the billing data we make available for rates that were introduced in the last two years as a result of the IT consolidations. We are also working on a comprehensive methodology document for all of our rates.
Although not covered under audit standards as a deficiency, the deficiency outlined below may impact the Department’s ability to process information in the future.
Disaster Contingency Planning
Although the Department had developed some basic strategies to address the disaster contingency needs of the State’s Central Computer Facility, the plans and operational provisions need to be enhanced to provide assurance that all of the State’s critical applications and network operations can be recovered within required timeframes.
Although a Recovery Methodology and Recovery Activation Plan existed, they had not been updated to reflect the current environment and referenced documentation which had not been fully developed.
A recovery test was performed in September 2008; however, all Category One applications were not included in the test and the test and supporting documentation did not meet the requirements outlined in the Recovery Activation Plan.
The State is placing great reliance on the Department’s ability to provide data processing and network services in the event of a disaster. As such, comprehensive and thoroughly tested disaster contingency plans are an essential component of recovery efforts.
The Department should ensure the necessary components (plans, equipment, and facilities) are available to provide for the continuation of critical computer operations in the event of a disaster. In addition, the Department should conduct and appropriately document comprehensive tests of the plans on an annual basis. (See pages 6-7 for additional information)
The Department partially concurs with the recommendations and is confident that the deficiencies found in Recovery Services do not impact the Departments capacity to recover the critical environment and applications of the State. This is evident in the results of the latest comprehensive exercise – environment and applications were recovered in 48 hours, with no major issues. Nevertheless, the Department will continue its current efforts to update Recovery Services documentation, enhance and improve Recovery exercises, and communicate Recovery requirements to supported Agencies.
With the exception of the one significant deficiency described above, procedures were generally sufficient to provide reasonable, but not absolute, assurance that relevant general and application control objectives were achieved.
WILLIAM G. HOLLAND, Auditor General