THIRD PARTY REVIEW
Summary of Findings:
WILLIAM G. HOLLAND
Iles Park Plaza
The Department of Central Management Services' (Department) Bureau of Communication and Computer Services carries out statutory responsibilities relating to data processing and telecommunication services (20 ILCS 405/35.3; 20 ILCS 405/35.7; 20 ILCS 405/35.7a; 20 ILCS 405/35.7c; and 20 ILCS 405/35.8). To fulfill its responsibilities, the Department operates the Central Computer Facility (CCF), the Communications Center, and two branch facilities - one each in Springfield and Chicago. The Springfield branch facility also serves as the primary backup site should a disaster prevent processing at the Central Computer Facility. Through its facilities, the Department provides data processing services to approximately 103 user entities.
The CCF functions as a data processing service center, providing computing and telecommunication resources for State agencies' use. The Department and the agencies that use the Department's computer resources share the responsibility for maintaining the integrity and security of computerized data and functions.
We reviewed data processing general controls at the Department during the period from February 23 to May 15, 1998. We performed tests to determine compliance with policies and procedures, conducted interviews, performed observations, and identified specific control objectives and procedures we considered necessary to evaluate the controls.
We also reviewed application controls for systems maintained by the Department for State agencies' use. The systems reviewed were the Generalized Accounting, Central Payroll, Central Inventory, Central Time and Attendance, and Accounting Information Systems.
The Department's control procedures and the degree of
compliance with the procedures were sufficient to provide
reasonable, but not absolute, assurance that relevant
control objectives were achieved.
To view an online version of the
complete report, go to
ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
BUREAU OF COMMUNICATION AND COMPUTER SERVICES
|Mainframes||6 Units Configured as 13
|Services/Workload||54,000 Nodes Statewide
(Terminals, Printers, etc.)
40 Million IMS Transactions per Month
3 Million Feet of Laser Printing per Month
308,000 Reel/Cartridge Tape Mounts per Month
|State Agency Users||103
|CCF Employees||1995 -- 127
1996 -- 128
1997 -- 126
1998 -- 125
|Historical Growth Trend*||
1975 -- 400
-- Base CPU Hours Billed
1980 --1,700 -- Base CPU Hours Billed
1986 --5,200 -- Base CPU Hours Billed
1990 --14,143-- Base CPU Hours Billed
1994 --27,823 -- Base CPU Hours Billed
1995 -- 34,977-- Base CPU Hours Billed
1996 -- 44,201-- Base CPU Hours Billed
1997 -- 44,201 -- Base CPU Hours Billed
1998 --75,900 -- Base CPU Hours Billed
*In the month of January for each year listed
Information provided by the Department
|AGENCY DIRECTOR AND BUREAU MANAGER|
|During Audit Period: Director: Michael
Schwartz -- Bureau Manager: William Vetter
Currently: Director: Michael Schwartz -- Bureau Manager: William Vetter
Year 2000 Compliance
Computer Problems May Impact Government Services
State Government Must Be Prepared
Year 2000 Compliance
The following excerpts from an April 1998 United States General Accounting Office (GAO) Report, titled YEAR 2000 COMPUTING CRISIS -- Potential for Widespread Disruption Calls for Strong Leadership and Partnership, illustrates the potential impact of the Year 2000 on State government computer systems.
Over the past 2 years, the term "Year 2000 Problem" has become increasingly familiar. This problem is rooted in the way in which automated information systems have, for the past several decades, typically represented the year--using two digits rather than four--in order to conserve electronic data storage space and reduce operating costs. Thus 1998 would be represented as simply 98. In this format, however, 2000 is indistinguishable from 1900 because both are represented only as 00. As a result, if not modified, computer systems or applications that use dates or perform date- or time-sensitive calculations may generate incorrect results beyond 1999, reading 00 as 1900 rather than 2000.
The public faces a high risk that critical services provided by the government and the private sector could be severely disrupted by the Year 2000 computing crisis. Financial transactions could be delayed, flights grounded, power lost, and national defense affected. The many interdependencies that exist among governments and within key economic sectors could cause a single failure to have adverse repercussions. While managers in the government and the private sector are taking many actions to mitigate these risks, a significant amount of work remains, and time frames are unrelenting.
As we reviewed the status of Year 2000 compliance efforts at State agencies in conjunction with financial and compliance audits, we determine that significant future efforts were needed to ensure that the Year 2000 would not adversely impact State government operations. In all cases additional work was required to ensure Year 2000 compliance, and in some cases very little progress had been made.
The Year 2000 Project - Quarterly Report as of March 31, 1998, which was prepared by the Department's Illinois Year 2000 Project Office, confirmed our conclusions that significant efforts were still needed. The Quarterly Report was derived from agency reports submitted to the Illinois Year 2000 Project Office. Of those agencies that reported information to the Project Office, the average overall completion of Year 2000 compliance efforts, as of March 1998, was 36 percent.
Since Year 2000 compliance issues will impact State government, we recommend the Department continue and intensify its efforts in coordinating the Year 2000 compliance issue for the Department and for State agencies. In addition, the Department and all State agencies should develop contingency plans to address applications that cannot be converted by January 1, 2000, identify vendor software packages for which a Year 2000 compliant version will not be available, and appraise infrastructure elements that cannot be converted for Year 2000.
Disaster Contingency Planning
Although the Department has made significant progress in addressing the disaster contingency needs of the State's Central Computer Facility, the plans and operational provisions still need to be enhanced to provide assurance that all of the State's critical applications and network operations can be recovered within the required timeframes. The State is placing great reliance on the Department's ability to provide data processing and network services in the event of a disaster. As such, a comprehensive and thoroughly tested disaster contingency plan and sufficient backup facilities are essential components of recovery efforts.
The Department should continue its efforts to ensure that the necessary components are available to provide for continuation of critical computer operations in the event of a disaster. In addition, the Department should continue to conduct comprehensive tests of the disaster recovery plan on an annual basis.
Procedures were generally sufficient to provide reasonable, but not absolute, assurance that relevant general and application control objectives were achieved.