State of Illinois
Office of the Auditor General
2021 Annual Report
March 1, 2022
The Honorable Members of the General Assembly
The Legislative Audit Commission
The Honorable JB Pritzker, Governor
Citizens of Illinois
Ladies and Gentlemen:
Enclosed is the Annual Report of the Auditor General’s Office, submitted in compliance with Section 3-15 of the Illinois State Auditing Act.
The mission of the Auditor General’s Office has been, and will continue to be, to present objective, balanced and independent audits. I believe this Annual Report reflects the Office’s success in fulfilling that goal during calendar year 2021.
I would like to thank the members of the General Assembly, members and staff of the Legislative Audit Commission, and the staff of the Auditor General’s Office, through whose efforts the reported accomplishments were made possible.
FRANK J. MAUTINO
Frank J. Mautino became Auditor General of the State of Illinois on January 1, 2016. Prior to his appointment as Auditor General, Mr. Mautino was a member of the Illinois House of Representatives, and served as a co-chairman of the Legislative Audit Commission.
As a constitutional officer, the Auditor General audits public funds of the State and reports findings and recommendations to the General Assembly and to the Governor. The establishment of the Auditor General under the Legislature is important. It ensures that the Legislature, which grants funds and sets program goals, will ultimately review program expenditures and results. Thus, agencies are accountable to the people through their elected representatives.
The Auditor General’s Office performs several types of audits to review State agencies. Financial audits and Compliance examinations are mandated by law. They disclose the obligation, expenditure, receipt, and use of public funds. They also provide agencies with specific recommendations to help ensure compliance with State and federal statutes, rules and regulations.
Performance audits are conducted at the request of legislators to assist them in overseeing government. Programs, functions, and activities are reviewed according to the direction of the audit resolution or law directing the audit. The General Assembly may then use the audit recommendations to develop legislation for the improvement of government.
Information Systems audits are performed on the State’s computer networks. They determine whether appropriate controls and recovery procedures exist to manage and protect the State’s financial and confidential information.
Copies of all audits are made available to members of the Legislature, the Governor, the media, and the public. Findings include areas such as accounts receivable, computer security, contracts, expenditure control, leases, misappropriation of funds, personnel and payroll, property control, purchasing, reimbursements, telecommunications, and travel.
Audit reports are reviewed by the Legislative Audit Commission in a public hearing attended by agency officials. Testimony is taken from the agency regarding the audit findings and the plans the agency has for corrective action. In some cases, the Commission may decide to sponsor legislation to correct troublesome fiscal problems brought to light by an audit. All outstanding recommendations are reviewed during the next regularly scheduled audit of an agency or, if the Commission requests, a special interim audit may be conducted.
An audit and its supporting workpapers, unless confidential by, or pursuant to, law or regulation, are public documents once the report has been officially released to the Legislature, the public, and the press. These documents are available for review in our Springfield and Chicago offices.
The following information is also available by request:
• Late Filing Affidavits
• Emergency Purchase Affidavits
• Contractual Services Certifications
Information about the Auditor General is available on the Internet. This information includes report summaries and full report texts.
Our internet web site address is: www.auditor.Illinois.gov
Our e-mail address is: email@example.com
Public information is available by writing:
Office of the Auditor General
Iles Park Plaza
740 E. Ash St.
Springfield, IL 62703-3154
Telephone: (217) 782-6046
Fax: (217) 785-8222
Telephone: (312) 814-4000
Fax: (312) 814-4006 TTY: (888) 261-2887
Our Fraud Hotline is: Toll-Free: (855) 217-1895
Visit our web site at www.auditor.Illinois.gov for full details or for an on-line reporting form.
As of December 31, 2021, there were 85 employees. Eighty-one were located in the Springfield Office and four in the Chicago Office.
The Compliance Examination Program
The Auditor General is required by the Illinois State Auditing Act to conduct, as is appropriate to the agency’s operations, a financial audit and/or compliance examination of every State agency at least once every two years. These audits and examinations inform the public, the Legislature, and State officers about the obligation, expenditure, receipt, and use of public funds, and provide State agencies with specific recommendation to help ensure compliance with State and federal statutes, rules, and regulations.
The Compliance Audit Division conducted 79 engagements during the FY 2020 audit cycle. These engagements encompassed compliance examinations, financial audits, and federal audits. Staff auditors conducted 17 of these audits. The remainder were performed by public accounting firms under the general direction and management of the Auditor General’s audit managers.
The Illinois Constitution of 1970 revised and expanded the traditional financial audits conducted of State agencies to focus on compliance with legislative intent and proper performance of governmental operations, as well as financial accountability.
The compliance program has a positive impact on the operations of State government because agencies implement many of the recommendations made in these reports. Compliance reports are also reviewed by the Legislative Audit Commission, where legislators question agency directors about audit findings and the corrective action they plan to take. Legislators and their staffs also use compliance reports during appropriation hearings in the spring legislative session. To maximize the usefulness of audit information, the Office attempts to deliver audits as early as possible in the legislative session.
A number of reports issued since our last report had findings that were critically important from an accountability standpoint. A brief summary of some of these findings follows:
INADEQUATE FINANCIAL REPORTING PROCESS
The State of Illinois’ current financial reporting process does not allow the State to prepare a complete and accurate Comprehensive Annual Financial Report in a timely manner. Reporting issues at various individual agencies caused delays in finalizing the financial statements. The lack of timely financial reporting limits effective oversight of State finances and may adversely affect the State’s bond rating.
Accurate and timely financial reporting problems continue to exist even though the auditors have (1) continuously reported numerous findings on the internal controls (material weaknesses and significant deficiencies), (2) commented on the inadequacy of the financial reporting process of the State, and (3) regularly proposed adjustments to the financial statements year after year. These findings have been directed primarily towards major State agencies under the organizational structure of the Office of the Governor (Governor) and towards the Office of Comptroller (Comptroller).
The Comptroller has made significant changes to the system used to compile financial information; however, the State has not solved all the problems to effectively remediate these financial reporting weaknesses. The State has a highly decentralized financial reporting process due to the use of numerous financial reporting systems, many of which are not interrelated and require manual intervention to convert data. The process is also overly dependent on the post audit program, even though the Office of the Auditor General has repeatedly informed State agency officials that the post audit function is not a substitute for appropriate internal controls at State agencies.
Annual financial reporting to the Comptroller requires the State’s agencies to prepare a series of financial reporting forms (SCO forms) designed by the Comptroller, which are utilized to prepare the Comprehensive Annual Financial Report. Although these SCO forms are subject to review by the Comptroller’s financial reporting staff during the Comprehensive Annual Financial Report preparation process and there are recommended minimum qualifications for all new generally accepted accounting principles (GAAP) coordinators who oversee the preparation of the SCO forms, the current process still lacks sufficient internal controls at individual agencies.
We recommended the Governor and the Comptroller continue to work together to resolve the State’s inability to produce timely and accurate GAAP-basis financial information.
The Office of the Governor agreed with the recommendation and stated they will continue to work together with the Office of Comptroller, and together with the individual agencies that have the most pressing challenges, to address the core issues of the State’s inability to produce timely and accurate GAAP-basis financial information.
The Office of the Governor also stated the State is in the midst of a multi-year implementation of an Enterprise Resource Planning (ERP) system — an integrated enterprise-wide application system for financial accounting — which is intended to transform Illinois’ IT system to be more inter-related among agencies and responsive to the needs of the State, its employees and those it serves.
In addition, according to the Office of the Governor, new challenges have arisen as State agencies have been making the transition from old systems to new, but a fully-operational ERP system and grants management system will improve internal controls and will better support the production of accurate financial statements in a timely manner in agencies throughout State government.
The Office of Comptroller accepted our recommendation and stated the State still faces several road blocks in the timely completion of the Comprehensive Annual Financial Report due to the General Assembly enacting various Public Acts which extend the lapse period, thus delaying the financial reporting process. The Office of the Comptroller also stated the Comprehensive Annual Financial Report (Report) completion continues to be delayed because of financial reporting issues identified during individual State agency financial and compliance audits and the Report cannot be finalized until these issues are resolved at the individual State agency reporting level.
Lastly, the Office of Comptroller stated they will continue to work with the Governor’s Office, the Auditor General’s Office, and agency GAAP coordinators to improve the timeliness, quality, and processing of financial reporting for the State.
LACK OF CONTROLS OVER CENSUS DATA
The State of Illinois (State) did not develop a reconciliation process to provide assurance census data submitted by its agencies to its pension and other postemployment benefits (OPEB) plans was complete and accurate.
Census data is demographic data (date of birth, gender, years of service, etc.) of the active, inactive, or retired members of a pension or OPEB plan. The accumulation of inactive or retired members’ census data occurs before the current accumulation period of census data used in the plan’s actuarial valuation (which eventually flows into the State’s financial statements), meaning the plan is solely responsible for establishing internal controls over these records and transmitting this data to the plan’s actuary. In contrast, responsibility for active members’ census data during the current accumulation period is split between the plan and each member’s current employer(s). Initially, employers must accurately transmit census data elements of their employees to the plan. Then, the plan is responsible for recording and retaining these records for active employees and transmitting this census data to the plan’s actuary.
We noted the State’s employees are members of one of the State’s three retirement systems (State Employees’ Retirement System (SERS), General Assembly Retirement System (GARS), or Judges’ Retirement System (JRS)) for their pensions and the State Employees Group Insurance Program sponsored by the State of Illinois, Department of Central Management Services (CMS) for their OPEB. In addition, we noted these plans have characteristics of different types of pension and OPEB plans, including single employer plans and cost-sharing multiple employer plans.
During testing, we noted the State’s design of its internal control structure did not include a process to annually reconcile census data recorded by the plan from each employer’s transmissions during the year back to the supporting records retained by the agency/employer. There has been no initial complete reconciliation of census data recorded by the SERS, GARS, JRS, and CMS to the agency/employer internal records to establish a base year of complete and accurate census data. After establishing a base year, the agencies/employers have not developed a process to annually obtain from SERS, GRS, JRS, and CMS the incremental changes recorded in the census data during the year and reconcile these changes back to their internal supporting records. We worked with our special assistant auditors to conduct sample testing of census data transactions at several significant primary government agencies as part of their financial statement audits. Due to the lack of a reconciliation process, we noted census data exceptions (agency-level reports are available on the Auditor General’s website) across the State’s primary government which should have been identified and corrected during an annual reconciliation process. We worked with the plan actuaries to project the impact of the noted exceptions on the actuarial valuations and determined the exceptions did not materially impact the State’s financial statements.
For employers participating in plans with multiple-employer and cost-sharing characteristics, the Audit and Accounting Guide: State and Local Governments (AAG-SLG) (§ 13.177 for pensions and § 14.184 for OPEB) published by the American Institute of Certified Public Accountants notes the determination of net pension/OPEB liability, pension/OPEB expense, and the associated deferred inflows and deferred outflows of resources depends on (1) employer-provided census data reported to the plan being complete and accurate along with (2) the accumulation and maintenance of this data by the plan being complete and accurate. To help mitigate the risk of the plan’s actuary using incomplete or inaccurate census data within similar agent multiple-employer plans, the AAG-SLG (§ 13.181 (A-27) for pensions and § 14.141 for OPEB) recommends an employer annually reconcile its active members’ census data to a report from the plan of census data submitted to the plan’s actuary, by comparing the current year’s census data file to both the prior year’s census data file and its underlying records for changes occurring during the current year.
The Governor’s Office management stated the census data exceptions were due to a lack of a formal annual reconciliation process at the agency level to ensure accuracy of census data. Individual State agencies have procedures in place to minimize census data errors, but to date, there is no required formal annual reconciliation procedure.
The Office of Comptroller’s management indicated that census data exceptions were caused by a lack of sufficient reconciliation procedures at State agencies to ensure accuracy of census data submitted to its pension and OPEB plans.
We recommended the Office of the Governor and Office of Comptroller work with the State agencies to develop an annual process to reconcile its active members’ census data from its agency/employer’s underlying records to a report from each plan of census data submitted to the plan’s actuary. After completing an initial full reconciliation, the State may limit the annual reconciliation to focus on the incremental changes to the census data file from the prior actuarial valuation, provided no risks are identified that incomplete or inaccurate reporting of census data may have occurred during prior periods.
The Office of the Governor accepted our recommendation and stated several State agencies already have numerous edit checks, reconciliation procedures, and internal controls to prevent error. Notably, some agencies selected for census data testing had no census data exceptions, and those that did have exceptions did not materially impact the current financial statement. The Governor acknowledges, however, that the State should work toward eliminating risk factors that could result in misstatements and miscalculations in the future. A statewide, formal reconciliation procedure could greatly reduce or eliminate census data exceptions in future audits. The Governor will continue to work with the Office of the Comptroller, State agencies, and the pension systems to assist in efforts underway to create such a procedure.
The Office of Comptroller accepted our recommendation and stated several State agencies that were selected for sample testing of census data had no exceptions, and as indicated in the finding, the exceptions that were noted in the census data testing at other agencies did not materially impact the State’s financial statements. State agencies, as well as the pension and OPEB plans, have numerous edit checks, reconciliation procedures, and internal controls that help minimize errors. However, the Office of Comptroller agrees that a formal reconciliation process across all State agencies should be developed. The pension and OPEB plans have begun to develop this process and the Office of Comptroller plans to assist them in their efforts to ensure census data submissions are accurate.
UNTIMELY PROCESSING OF APPLICATIONS FOR BENEFITS AND REDETERMINATIONS OF ELIGIBILITY FOR BENEFITS
The Illinois Department of Healthcare and Family Services (HFS) and the Illinois Department of Human Services (DHS) (collectively, the “Departments”) did not maintain adequate internal control to ensure applications for benefits and redeterminations of eligibility for benefits were completed timely.
As part of our audit procedures, we tested the Departments’ compliance with the federal time requirements for approving or denying applications, conducting redeterminations, and working any changes communicated by recipients for the SNAP, TANF, and Medical programs.
• For change documentation (a/k/a maintenance) - when a recipient encounters a change in their situation, which may have an impact on eligibility, the recipient is to notify the Departments of such change. As of June 30, 2020, the Departments had a backlog of 70,466 cases in which information had been received; however, not reviewed. Because the information had not been reviewed, the Departments did not know the program(s) which might be impacted. As such, we were unable to determine the timeliness of processing the information.
• For initial applications - At June 30, 2020, the Departments had a backlog of 20,511 medical applications, 4,208 SNAP applications, and 2,223 TANF applications, for which the determination of eligibility to receive benefits was not completed timely. Additionally, there were 8,989 applications in which the applicant did not specify the program; therefore, we were unable to determine the timeliness of the application.
• For redeterminations - As of June 30, 2020, DHS had not timely redetermined the eligibility of 881 SNAP and/or TANF recipients to continue receiving benefits upon receipt of redetermination information from the recipient. In addition, DHS had received redetermination information from 1,145 SNAP and/or TANF recipients; however, due to a defect within IES, the date the information was received was not documented. Because the received date was missing, we were unable to determine the timeliness of these redeterminations.
We recommended the Departments work together to implement controls to comply with the requirement that applications are reviewed and approved or denied within 45 or 30 days, as applicable, and the Departments establish appropriate controls to both monitor the progress of eligibility redeterminations and ensure those redeterminations occur timely along with any change documentation received.
HFS accepted the recommendation and stated it will work with DHS to maintain eligibility staffing levels to assure continued reductions in applications pending over 45 days and to be prepared to handle work associated with, once again, sending redeterminations forms after the public health emergency ends. If necessary, HFS stated it will develop additional strategies based on Federal CMS guidance to the State regarding requirements for resuming full redetermination processing at the end of the public health emergency.
FAILURE TO IMPLEMENT GENERAL INFORMATION TECHNOLOGY CONTROLS OVER THE PANDEMIC UNEMPLOYMENT ASSISTANCE SYSTEM
The Illinois Department of Employment Security (Department) failed to implement general Information Technology (IT) controls over the Pandemic Unemployment Assistance (PUA) System.
During testing, some of the more significant issues we noted included the following:
• The Department could not provide a System and Organization Controls (SOC) report for the PUA system. • The Department was unable to provide documentation demonstrating the completeness and accuracy of the population of changes made to the PUA system.
• For 5 of 30 (17%) system changes tested, the Department could not provide documentation demonstrating changes were approved prior to being moved into the production environment. • The Department had not conducted a review of access rights to the PUA system during the audit period.
• The Department could not provide documentation demonstrating users’ access was timely terminated.
• The Department had not developed a disaster recovery plan in order to recover the PUA system in the event of a disaster.
As a result of the Department’s failure to obtain a SOC report or ensure the general IT controls were suitably designed and operating effectively over the system, we were unable to rely on the system with respect to claimant eligibility and whether benefit payments made were in accordance with federal requirements.
We recommended the Department ensure the contract with the service provider includes requirements for independent review of internal controls, such as a SOC report. Additionally, we recommended the Department develop internal controls to maintain documentation demonstrating populations of changes and system user access are complete and accurate. We also recommended the Department strengthen controls over policies and procedures, system changes, segregation of duties, user access approval and termination, and user access reviews. Finally, we recommended the Department work with its service provider to develop a detailed disaster recovery plan for recovery of the system and the claimants’ data.
The Department accepted the finding and indicated it was pursuing contractual arrangements to secure a SOC report.
FAILURE TO ACCURATELY DETERMINE CLAIMANTS’ ELIGIBILITY FOR PANDEMIC UNEMPLOYMENT ASSISTANCE
The Illinois Department of Employment Security (Department) failed to ensure Pandemic Unemployment Assistance (PUA) claimants met eligibility requirements.
During testing, some of the more significant issues we noted included the following:
• The Department did not validate the wages of all claimants receiving more than the minimum weekly payment amount of $198. The total amount paid for PUA above the minimum was $96,931,104.
• 4,579 claimants’ identities were not validated. Additionally, the Department had not completed follow up actions to verify the identities of these claimants. The total PUA and Federal Pandemic Unemployment Compensation (FPUC) benefits paid to these claimants was $41,697,272.
• 266 claimants received PUA and FPUC benefits totaling $2,668,266; however, the claimants’ birthdays were the same day or later than the date of the claim. The birthdate of the claimants ranged from the same day as the application for benefits to 2029.
• 35 claimants were deceased at the time of receiving PUA and FPUC benefits. This was determined by matching the Social Security number on the application with records maintained by the Social Security Administration. The claimants were paid PUA and FPUC benefits totaling $343,670.
We recommended the Department implement controls to ensure individuals are eligible to receive benefits prior to payment. Additionally, we recommended the Department ensure all staff are trained on the requirements to ensure eligibility is properly and timely determined.
The Department accepted the finding and stated it has been engaged in an ongoing effort to quickly implement the PUA program accurately as well as respond to additional information and provide changes issued by the U.S. Department of Labor in subsequent Unemployment Insurance Program Letters (UIPL).
WEAKNESSES IN PREPARATION OF GAAP REPORTING FORMS SUBMITTED TO THE OFFICE OF THE COMPTROLLER AND PREPARATION OF YEAR-END DEPARTMENT FINANCIAL STATEMENTS AND SCHEDULES
The Illinois Department of Corrections’ (Department) year-end financial reporting in accordance with generally accepted accounting principles (GAAP) submitted to the Office of Comptroller (Comptroller) contained inaccuracies due to improper accounting and inadequate review. These problems, if not detected by the auditors and corrected by the Department, could have materially misstated the Department’s financial statements, and negatively impacted the financial statements prepared by the Comptroller.
Some of the conditions noted include:
• We identified three errors in recording backpay liabilities and accounts payable as of June 30, 2019. These errors resulted in a $93.2 million overstatement of the Fiscal Year 2020 beginning fund balance for governmental funds and beginning net position for governmental activities.
• The Department did not accrue liabilities totaling $36 million, which were identified by the Comptroller.
• Accounts payable totaling $5.6 million were not accrued as of June 30, 2020.
• Weaknesses in the financial accounting for, and inaccurate and inadequate recordkeeping of, capital assets resulted in financial audit adjustments and note disclosures.
We recommended the Department outline, document, and implement procedures to ensure GAAP reporting, financial statements and schedules are prepared accurately. We also recommended the Department maintain documentation of the calculation and basis of liability estimates. In addition, we recommended the Department identify the appropriate reports and timing for complete and accurate recording of payables. Lastly, we recommended proper year-end cut-off procedures and internal reviews be included in those procedures as a method to identify and correct errors prior to the submission of financial information to the Comptroller and other external parties.
The Department accepted the auditor’s recommendation and stated it will strengthen its controls and documentation related to liability estimates used in the financial statements.
FAILURE TO MEET COURT-ORDERED MENTAL HEALTH SERVICE REQUIREMENTS
The Illinois Department of Corrections (Department) failed to meet requirements of a settlement agreement and court order for the provision of mental health services to mentally ill inmates in custody of the Department during the examination period.
In April of 2019, the United States District Court issued a permanent injunction after finding the Department was “not in substantial compliance” with the settlement agreement entered by the parties in December 2015. The permanent injunction issued by the District Court, Rasho v. Walker, 376 F.Supp.3d 888 (C.D. Ill. 2019) (“the court order”), ordered the Department to provide mental health treatment to prisoners, as well as to provide medication management, mental health evaluations, and necessary mental health staff throughout the correctional system.
Based on the auditor’s review of staffing levels reported by the Department, the Department failed to meet hiring requirements from the effective date of the permanent injunction through Fiscal Year 2020. In addition, in the report created by the Department to certify each facility’s compliance with court-ordered requirements, the Department reported numerous facilities did not meet all court-ordered requirements for some mental health service areas. The auditors recommended the Department allocate the necessary resources and take all reasonable and appropriate measures in order to meet court-mandated staffing and reporting requirements.
The Department accepted the recommendation and agreed the audit accurately reflects the publicly available data within facility certifications that self-identify compliance with the permanent injunction in Rasho. The Department also stated the facility certifications provide no more than an opinion of those at the facility level regarding their compliance with the order. The Department stated its quarterly reports fully explain how and why it has complied with the 29 data points set forth in the injunction. The Department further responded by stating it has, at all times, during the effective date of the permanent injunction provided appropriate and constitutionally required mental health care to its population. The Department stated its compliance with the 29 requirements within the Rasho permanent injunction throughout the entire system (28 facilities), based solely on facility certifications, indicates it has averaged 91.28% (The Department stated that in this calculation, a facility is considered compliant with a mandate within the Rasho permanent injunction if it rates its compliance 85% or more, consistent with National Commission on Correctional Heath Care standards) compliance over the span of the audit cycle.
In an accountant’s comment, we noted the Department’s response contradicts evidence examined, as follows:
• When other quarterly report components documenting compliance by each facility are considered, the quarterly reports still disclose noncompliance with court-ordered requirements.
• The documentation provided to the auditors does not provide sufficiently appropriate audit evidence to establish the Department’s compliance with the staffing requirements of the court order.
• The Department cannot both certify to the Court that the Department’s submissions certify each facility’s compliance as required by the court order, while also indicating to the auditors that those certifications are not the Department’s opinion.
• The compliance rates cited by the Department are misleading and incorrectly imply the Department has exceeded court-ordered compliance requirements. Each of the facilities did not meet at least 85% compliance with each of the 29 directives based on facility certifications, as reported by the Department to the Court.
SIGNIFICANT UNDERSTATEMENT OF OPEB BALANCES
The Illinois State Toll Highway Authority (Tollway) did not identify an allocation error within its other postemployment benefits (OPEB) amounts recorded in its financial statements, resulting in a beginning balance restatement which reduced the Tollway’s unrestricted net position by $505,692,050.
During testing, we noted employee-related costs incurred by the Tollway include both Tollway employees and staff of the Illinois State Police (ISP) consisting of four groups, as defined and further described below:
• “True Tollway Employees” work for the Tollway, including its administrative, engineering, traffic, construction, and maintenance staff. These employees are paid on Tollway payroll vouchers and participate in the Tollway’s own group insurance program. Upon retirement, they transition to the State Employees Group Insurance Program (SEGIP) administered by the State of Illinois, Department of Central Management Services (CMS) for their OPEB. SEGIP does not receive a “retiree-load” charge (a charge added to contributions for current employees to obtain cash to pay benefit costs for retirees on a pay-as-you-go basis) for these employees’ current benefits provided by the Tollway’s own group insurance plan.
• “ISP District 15 State Troopers” consist of two groups providing personal services within ISP District 15, which patrols the highways and facilities which encompass the Tollway’s operations.
1. The majority of these employees participate in the SEGIP for both their current employee benefits and OPEB during retirement.
2. Master sergeants, however, can opt-out of SEGIP for healthcare benefits and participate in the Teamsters Local No. 727 Health and Welfare Benefits Fund (union plan) for health insurance along with SEGIP for vision, dental, and life insurance benefits as an employee and then transition to SEGIP for all of their OPEB at retirement.
All troopers are paid on ISP’s payroll vouchers which are charged against the Tollway’s agency number and accounts. These vouchers include contributions to SEGIP for all troopers’ SEGIP-provided benefits. In addition, CMS prepares supplemental billings charged to the Tollway’s accounts for SEGIP to recover the healthcare costs paid to the union plan along with the associated “retiree-load” for SEGIP.
• “ISP District 15 Support Staff” are Tollway employees supporting the troopers assigned to ISP District 15. These employees are paid on Tollway payroll vouchers and participate in the Tollway’s own group insurance program until they transition to SEGIP for their OPEB at retirement. SEGIP does not receive a “retiree-load” charge calculated on these employees’ current benefits from the Tollway’s own group insurance plan.
Because the “True Tollway Employees” and “ISP District 15 Support Staff” participate in the Tollway’s group insurance program until retirement, CMS has not charged the “retiree-load” built into active-employee SEGIP contributions to fund payas-you-go costs associated with retirees participating in SEGIP. Rather, the Tollway reimburses SEGIP for the pro rata share of the cost of providing retiree benefits to those retirees who had service in “True Tollway Employees” and “ISP District 15 Support Staff” positions compared to their total service credit to the State as determined by the State Employees’ Retirement System of Illinois (SERS), as required by the State Employees Group Insurance Act of 1971 (Act) (5 ILCS 375/11).
During our review of the SEGIP allocation, we noted CMS only considered current employee contributions (accounted for within detail object code 1180 group insurance contributions) to SEGIP within its allocation methodology. Both CMS and the Tollway failed to identify the pro rata share for “True Tollway Employees” and “ISP District 15 Support Staff” had not been considered in SEGIP’s State Fiscal Year 2019 allocation, which supported the Tollway’s opening balances for Calendar Year 2020.
After bringing this matter to the attention of officials at both the Tollway and CMS, CMS corrected these errors and reallocated SEGIP’s total Fiscal Year 2019 OPEB liability and determined the Tollway’s OPEB balances at January 1, 2020, should have been:
OPEB-related Deferred Inflows of Resources…………………...$66,818,243
OPEB-related Deferred Outflows of Resources…………………$22,095,550
Additionally, Tollway officials recalculated the Tollway’s subsequent contributions to SEGIP for all four groups after considering each group’s unique OPEB characteristics and the impact of the error described in Finding 2020-003, estimating the Tollway’s subsequent contributions to SEGIP balance at January 1, 2020, should have been:
OPEB-related Deferred Outflows of Resources…………………$19,180,890
We recommended the Tollway communicate with CMS so both parties have a complete understanding of the Tollway’s various employee groups so the factors unique to each group can be considered in preparing SEGIP’s separately-stated liability for “True Tollway Employees” and “ISP District 15 Support Staff” and proportionate allocation of OPEB balances related to “ISP District 15 State Troopers” among the State’s other funds and public universities. In addition, the Tollway and CMS should develop internal controls to reconcile the active and inactive “True Tollway Employees” and “ISP District 15 Support Staff” recorded within the SERS’ records to the Tollway’s records by focusing on the incremental changes from the prior reconciliation to ensure SEGIP’s separately-stated OPEB balances associated with the Tollway are determined using complete and accurate data. Finally, the Tollway and CMS should implement internal controls to ensure the pro rata share estimate of future retiree benefits for “True Tollway Employees” and “ISP District 15 Support Staff” is prepared using a three-year rolling average of the pro rata share of current retirees and this average is complete and accurate.
The Tollway concurs with the auditor’s recommendation. At all times on and after the OPEB standard was established, the Tollway utilized an audited allocation report provided by CMS, the SEGIP plan administrator, and relied upon external auditors. Also, the Tollway advised CMS of its group insurance arrangements and of the fact that the Tollway was not contributing to SEGIP for active employees. Further, based upon historical contributions for Tollway retirees, the OPEB liability allocated to the Tollway appeared reasonable. The Tollway will work with CMS to develop an ongoing reconciliation process to ensure the Tollway’s share of the net OPEB liability is properly allocated.
In an auditor’s comment, we noted the Clarified Statements on Auditing Standards (AU-C § 200.05) published by the American Institute of Certified Public Accountants states:
“The financial statements subject to audit are those of the entity, prepared and presented by management of the entity with oversight from those charged with governance. … The audit of the financial statements does not relieve management or those charged with governance of their responsibilities.”
As noted in the finding, Tollway officials were responsible for understanding SEGIP’s allocation methodology and communicating with CMS officials about how the Tollway’s unique group insurance program and governing provision within Section 11 of the Act impacted SEGIP’s allocation and Tollway’s OPEB balances. Meanwhile, CMS officials were solely responsible for preparing a complete and accurate allocation schedule for SEGIP, and the Tollway’s governing board and management were solely responsible for preparing complete and accurate financial statements and the Tollway. The fact audits occurred, which were only designed to obtain a high, but not absolute, level of assurance SEGIP’s schedules and the Tollway’s financial statements were not materially misstated, does not relieve the Tollway’s governing board and management nor CMS’ officials of their responsibilities under the professional standards.
NEED TO ENHANCE RELATIONS WITH THE ILLINOIS STATE POLICE
The Illinois State Toll Highway Authority (Tollway) needs to update the duties, roles, functions, and responsibilities within its Intergovernmental Agreement (IGA) with the Illinois State Police (ISP).
The State Police Act (20 ILCS 2610/20) notes ISP and the Tollway may enter into an IGA to provide for policing of toll highways, including remuneration of police services, which comprise of (1) compensation and training of troopers and clerical employees, (2) uniforms, equipment, and supplies used by the ISP in patrolling the Tollway, and (3) reimbursements for injuries or occupational illnesses suffered by ISP personnel in the line of duty. In accordance with this IGA, ISP has assigned troopers to District 15 who police the Tollway’s highways and facilities, while also allowing for troopers to be diverted to or from District 15 in emergency situations. This IGA was last updated on July 17, 2012.
During testing, we noted the following:
• The IGA does not address how the Tollway and ISP will implement a census data reconciliation process for the troopers directly paid for by the Tollway to provide assurance census data submitted to the State Employees’ Retirement System of Illinois (SERS) for pension benefits and the State Employees Group Insurance Program administered by the State of Illinois, Department of Central Management Services (CMS) for the troopers’ other postemployment benefits (OPEB) is complete and accurate. Under the current process, we noted:
1. ISP maintains each trooper’s personnel records;
2. ISP is responsible for updating each trooper’s personnel records;
3. the Tollway is responsible for transmitting the census data within each trooper’s personnel records to SERS and CMS through the Tollway’s transmission of payroll data to the Office of the Comptroller to actually pay the troopers for their work; and,
4. the Tollway is responsible for subsequently ensuring the information transmitted to SERS and CMS agrees with the records maintained by ISP which support the pension and OPEB balances recorded in the Tollway’s financial statements.
• The Tollway and ISP have not fully established proper procedures and mutual understanding of what books and records should be shared between the Tollway and ISP to enable complete and accurate financial reporting within the IGA. For example, we noted an instance where Tollway requests for ISP to produce records necessary to determine the completeness and accuracy of OPEB amounts as part of the Tollway’s efforts to correct the conditions noted in Finding 2020-001 was denied by ISP. After follow-up by the Office of the Auditor General and the Governor’s Office of Management and Budget, the ISP would only provide this requested information to us and not to the Tollway’s officials. Ultimately, we had to design alternative procedures to address not receiving this request. This type of routine interaction should be addressed by the IGA as opposed to requiring intervention by other State officials.
While the IGA (Part IV, Section B) notes ISP shall supply, upon the request of the Tollway, additional books and records related to the cost or efficiency of providing police services to the Tollway, the IGA does not establish what and how financial and nonfinancial records needed to prepare financial information are to be supplied between Tollway and ISP officials.
• The Tollway and ISP do not appear to have active communication protocols to address financial matters within the IGA. We identified several instances of confusion about the responsibilities of the parties and no clear assigned point of contact at both the Tollway and ISP who would oversee their respective party’s interactions with the other party within the IGA.
• The IGA does not address the Tollway’s need for promptness in responses by the ISP, which can negatively impact the Tollway’s ability to have its financial statements audited and posted on the Municipal Securities Rulemaking Board’s Electronic Municipal Market Access system by the deadlines established within the Tollway’s continuing disclosure agreements for its bond issues. Further, Concepts Statement No. 1 of the Governmental Accounting Standards Board, Objectives of Financial Reporting (paragraph 66), states, “If financial reports are to be useful, they must be issued soon enough after the reported events to affect decisions.” Finally, Government Finance Officers Association guidance notes governments should complete and file their Annual Comprehensive Financial Report (ACFR) no later than six months after the end of a government’s fiscal year to be eligible to receive a Certificate of Excellence in Financial Reporting award.
• The ISP has not been able to maintain a minimum staffing level of 175 troopers assigned to District 15. The IGA (Part II, Section K) requires, subject to budget availability and certain reassignments and/or diversions allowed for by the IGA, the ISP maintain, at least, 175 troopers with a goal of 196 troopers assigned to District 15.
We recommended the Tollway work with ISP to update its IGA to allow for:
1. performing an initial complete reconciliation of ISP’s census data recorded by SERS and CMS to ISP’s internal records to establish a base year of complete and accurate census data;
2. developing a process to annually obtain from SERS and CMS the incremental changes recorded by SERS and CMS in their census data records and reconcile these changes back to ISP’s internal supporting records;
3. establishing proper procedures and mutual understanding of what books and records can be shared between the Tollway and ISP to facilitate each party’s operations;
4. establishing active communication protocols to address financial matters; and,
5. establishing deadlines for responses reflective of the Tollway’s need to release its ACFR within six months after the end of its fiscal year.
Further, we recommend the Tollway and ISP work together to ensure District 15 has, at least, the minimum number of troopers assigned as required by the IGA.
The ISP accepted the recommendation and stated they are currently working with the Tollway to update the IGA and will ensure the recommendations are addressed accordingly. Additionally, there is a cadet class in process for the Tollway which will increase the number of officers above the minimum number of troopers assigned to District 15.
The Tollway agreed with recommendations 1 through 5, but disagrees that the IGA unconditionally requires a minimum staffing level.
In an auditors’ comment, we noted the Tollway has not provided any evidence to indicate Tollway officials had a separate agreement with ISP officials or that budget availability, reassignments, or diversions as allowed for by the IGA occurred during the period resulting in less than 175 troopers being assigned to ISP’s District 15. In fact, as noted in the finding, ISP officials pointed to several ISP-wide issues as being the root cause of not having 175 troopers assigned to District 15, which did not include any of the conditions noted in the response from the Tollway’s officials. We continue to recommend the Tollway work with the ISP to maintain the minimum number of troopers at District 15.
INACCURATE FINANCIAL REPORTING
The Illinois Housing Development Authority (Authority) has not established adequate internal controls over the financial reporting process and the recording of financial transactions within its books and records.
During the year ended June 30, 2020, the Authority made a number of changes in the financial reporting process. While doing so, the Authority failed to establish additional oversight and monitoring procedures to ensure the financial statements were properly prepared and presented. As a result, the draft financial statements prepared by management and provided to the auditors contained errors which required adjustment to the financial statements. The following are some of the matters noted during the audit:
• The Authority incorrectly reported their Ambac Assurance Corporation loans outstanding within footnote 5. The originally reported amount was $55,579,568 while the correct amount was $5,579,568 resulting in a difference of ($50,000,000). A proposed adjustment for these differences was recorded by the Authority.
• The Authority incorrectly reported the bonds and notes outstanding related to conduit debt obligations within footnote 8(e) of the financial statements as $1,175,921,664 while the correct amount was $1,147,626,343 resulting in a difference of ($28,295,321). A proposed adjustment for these differences was recorded by the Authority.
• The Authority incorrectly reported accrued liabilities and other liabilities for the Administrative Fund, Mortgage Loan Program Fund, Home Program Fund and the Hardest Hit Fund in the Statement of Net Position and the Balance Sheet which required numerous adjustment to these accounts. The proposed adjustments were recorded by the Authority.
• Within the Statement of Net Position and the Statement of Revenues, Expenses and Changes in Net Position for the Business-Type Activities, the Authority incorrectly reported amounts in the Administrative Fund. The Authority understated Due from Other Funds by $13,399,832 and understated Due To Other Funds by the same amount on the financial statements.
• Journal entry adjustments were also proposed and made by the Authority to correct differences noted within the Administrative Fund for the following accounts: Deposits held in Escrow, Accrued Liabilities and Other, Interest and Other Investment Income, Service Fees, Development Fees, Other Revenue, Professional Fees, Other General and Administrative expenses and Financing Costs.
• For the Authority’s Single Family Program Fund, we noted the financial statements understated the Derivative Instrument Liability by ($9,132,010) and overstated the Accumulated increase in the fair value of hedging derivative by $9,132,010. A proposed adjustment for these differences was recorded by the Authority.
We recommended the Authority review its internal control policies and procedures to ensure financial transactions are accurately reported in the general ledger and accurately reported in the financial statements and footnote disclosures.
Authority officials accepted the recommendation and stated they will continue to enhance its internal control policies and procedures to address the conditions noted within this finding.
INADEQUATE CONTROL OVER PROPERTY AND EQUIPMENT
The Illinois State Police (Department) did not exercise adequate control over State property and equipment.
Due to the following process and control deficiencies identified below, we were unable to conclude whether the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.35) in order to test the Department’s controls over State property and equipment.
Even given the population limitations noted above which hindered the ability of the accountants to conclude whether selected samples were representative of the population as a whole, we performed testing. Below are some of the items noted:
• During review of the Department’s discrepancy listings, we noted the Department did not have adequate controls over lost or missing property. We noted 55 of 60 (92%) items listed as lost or missing could possibly have confidential information stored on them. Items included servers, computers, laptops, tablet, and a camera with a memory card.
• When attempting to reconcile the Department’s equipment purchase records to the Office of the Comptroller’s (Comptroller) record of equipment expenditures, we noted the Department was unable to reconcile the differences noted between the Object Expense/Expenditures by Quarter Report (SA02) and the Agency’s Report of State Property (C-15) reports. During the engagement period, the Department had $81,877,026 in gross equipment and electronic data processing expenditures. However, only $52,300,997 in gross equipment and electronic data processing expenditures were reported.
• When attempting to reconcile the Department’s Fiscal Year 2020 schedules of additions, deletions, and transfers to the Department’s Fiscal Year 2020 property control listing, we noted $2,335,955 of unknown activity which was not reported on the Department’s Fiscal Year 2020 schedules of additions, deletions, and transfers. The Department was unable to identify the unknown activity.
• The Department’s property records at June 30, 2020 and 2019 did not agree to the C-15 reports submitted to the Comptroller by approximately $12,466,712 and $692,707, respectively. Management attempted a reconciliation for June 30, 2020 and identified $692,707 of property that should have been recorded to the Department’s property records. The Department did not attempt to prepare a reconciliation between the Department’s records and the C-15 reports at June 30, 2019.
• The Department’s Fiscal Year 2020 and Fiscal Year 2019 records of additions, deletions, and transfers did not agree to the C-15 reports submitted to the Comptroller by $628,528 and $17,155,753, respectively. The Department did not attempt to prepare a reconciliation between the Department’s Fiscal Year 2020 and Fiscal Year 2019 records of additions, deletions, and transfers and the C-15 reports.
• The Fiscal Year 2020 and Fiscal Year 2019 Annual Certification of Inventory could be inaccurate based upon failure to perform reconciliations of the Department’s property records. The Fiscal Year 2020 Annual Certification of Inventory reported 661 missing items totaling $2,243,766 or 0.72% of the total inventoried items. The Fiscal Year 2019 Annual Certification of Inventory reported 626 missing items totaling $1,198,804 or 0.71% of the total inventoried items.
• Seven of 60 (12%) equipment items, totaling $23,344, were reported on both Fiscal Year 2020 and Fiscal Year 2019 Annual Certification of Inventory as being unable to be located. The seven items were not removed from the Department’s June 30, 2020 property records.
• Nineteen of 29 (66%) leases tested were not located on the Department’s property listing as the Department did not record Fiscal Year 2019 and Fiscal Year 2020 capital leases to the Department’s property control records. In addition, the Department did not maintain a detailed listing of leased equipment.
• Eighteen of 29 (62%) leases tested did not report the correct Fair Value at Inception on the Accounting for Leases-Lessee (SCO-560) form.
• Two of 2 (100%) Capital Development Board (CDB) transfer additions, totaling $583,935, were not recorded on the Department’s property records.
We recommended the Department develop procedures to immediately assess if an electronic device may have contained confidential information whenever it is reported lost, stolen, or missing during the annual physical inventory, and document the results of the assessment. We also recommended the Department ensure all equipment is accurately and timely recorded or removed from the Department’s property records and ensure accurate reports are submitted to the Comptroller. Additionally, we recommended the Department update its property control manual and strengthen its controls over the recording and reporting of its State property and equipment by reviewing their inventory and recordkeeping practices to ensure compliance with statutory and regulatory requirements.
Furthermore, we recommended the Department reconcile its property records to the Comptroller’s records and proper reviews be completed.
Department management concurred with the finding and stated they are working to correct their records.
INADEQUATE CONTROLS OVER REMOTE EMPLOYEE ATTENDANCE
The Office of the Attorney General (Office) did not exercise adequate timekeeping controls over attendance for employees working remotely.
Employees who worked off-site from March 16, 2020 through June 30, 2020 were unable to record hours worked in the system used for employee timekeeping, and the Office did not require any other method to keep records of hours worked. Management suspended timekeeping requirements for employees working off-site when the majority of employees worked remotely during this timeframe. During Fiscal Year 2020, the Office employed an average of 767 full-time employees.
We recommended the Office ensure compliance
with the State Officials and Employees Ethics Act by requiring and providing a mechanism for State employees working remotely to periodically submit
time sheets documenting the time spent each day on official State business to the nearest quarter hour.
The Office accepted the recommendation and stated corrective action was implemented effective July 31, 2020.
NONCOMPLIANCE WITH THE ILLINOIS ARTICULATION INITIATIVE ACT
The Illinois State University (University) did not submit a minimum of one course per major under the Illinois Articulation Initiative (Initiative) for some majors offered by the University.
During testing, we noted the University did not
have a minimum of one course included within the related
Initiative major for its art, physics, and psychology degree programs.
We recommended the University comply with the requirements of the Illinois Articulation Initiative Act or seek a legislative remedy. University officials concurred with our recommendation and will work on correcting this matter over the next 12 months.
STATEWIDE SINGLE AUDIT UPDATE
The purpose of the Statewide Single Audit is to fulfill the State mandate in accepting federal funding. It includes all State agencies that are part of the primary government and expend federal awards. In total, 52 Illinois State agencies expended federal financial assistance in FY 2020.
The schedule of expenditures of federal awards reflects total expenditures of $38.369 billion for the year ended June 30, 2020. Overall, the State participated in 312 different federal programs, however, 10 of these programs or program clusters accounted for 90.7% of the total federal award expenditures.
Federal Agencies Providing Federal Funding
For the year ended June 30, 2020
(Amounts in millions)
Health & Human Services: $ 16,904.2
All Others: 893.7
Total Federal Award Expenditures: $ 38,369.2
Source: FY2020 State of Illinois Single Audit Report
Overall, 12 State agencies accounted for approximately 99.1% of all federal dollars spent during FY2020.
SUMMARY OF FEDERAL SPENDING BY STATE AGENCY
For the year ended June 30, 2020
(Amounts in millions)
Healthcare & Family Services: $ 14,480.8
Employment Security: 9,728.9
Human Services: 5,351.3
Student Assistance Commission: 2,861.7
Board of Education: 2,282.9
Commerce & Economic Opportunity: 411.3
Children & Family Services: 348.3
Public Health: 294.9
Environmental Protection Agency: 151.6
Emergency Management Agency: 101.4
All Others: 371.8
Total Federal Spending: $ 38,369.2
Source: FY2020 State of Illinois Supplemental Report of
Federal Expenditures by Agency/Program Fund.
Our audit testing focused primarily on the 28 major programs expending about $34.3 billion in federal awards.
Our report contained 29 findings related to 10 State agencies.
The Performance Audit Program
Performance audits are conducted at the request of legislators to assist them in their oversight function. Based on the scope specified in the resolution or the law requesting the audit, State agencies’ programs, functions, and activities are reviewed. The audits determine if the services are provided as intended by the General Assembly and directly impact and improve agency operations.
The General Assembly uses performance audit information to develop legislation, to deal with budgetary issues, and to direct agencies to improve programs. Some audits produce immediate changes. For example, the 2019 performance audit of the Department of Children and Family Services Investigations of Abuse and Neglect identified several issues related to investigations of child abuse and neglect. Legislation was passed in the Spring of 2019 (Public Act 101-0528) to establish a process by which both unfounded reports and indicated reports of abuse and neglect undergo further review. In addition, the Department is required to file reports about these reviews with the General Assembly. The audit also highlighted issues with the Department’s child abuse hotline. Subsequently, a State Senator requested a review of the hotline. The Department contracted with the University of Illinois’ Children and Family Research Center which conducted the review and issued a report in November 2019 that included 11 recommendations to the Department.
In other instances, significant changes may not be seen for several years. The length of time it takes to see changes is due to the process of transforming the audit findings and recommendations into legislative bills and converting bills into law; additionally, once a law is implemented, the effects may not be apparent for some time.
The National State Auditors Association (NSAA) established the Excellence in Accountability Awards Program in 2003 to recognize outstanding performance audits and special projects. Performance audits performed by the Office of the Auditor General (OAG) have received six NSAA awards in past years:
• 2019 Performance Audit of the Department of Children and Family Services Investigations of Abuse and Neglect;
• 2014 Neighborhood Recovery Initiative Audit (Honorable Mention);
• 2012 Management Audit of the Department of State Police’s Administration of the Firearm Owner’s Identification Act;
• 2007 Performance Audit of the Mass Transit Agencies of Northeastern Illinois: RTA, CTA, Metra, and Pace;
• 2004 Management and Program Audit of the Rend Lake Conservancy District; and
• 2003 Management Audit of the Illinois State Toll Highway Authority.
Another national organization, the National Legislative Program Evaluation Society (NLPES) also has an Impact Award that is given annually to audits that demonstrate significant dollar savings, program improvements, or impact from a legislative and public perspective. The OAG has received the NLPES award for many audits as well:
• 2019 Performance Audit of the Department of Children and Family Services Investigations of Abuse and Neglect;
• 2019 Performance Audit of Legionnaires’ Disease at the Quincy Veterans’ Home;
• 2018 Performance Audit of Medicaid Managed Care Organizations;
• 2016 Program Audit of the College of DuPage;
• 2014 Neighborhood Recovery Initiative Audit;
• 2012 Management Audit of the College Illinois! Prepaid Tuition Program’s Administrative Operations;
• 2012 Management Audit of the Department of State Police’s Administration of the Firearm Owner’s Identification Act;
• 2011 Management Audit of the State’s Financial Reporting System;
• 2010 Program Audit of the Covering ALL KIDS Health Insurance Program;
• 2009 Management and Program Audit of the Illinois State Police’s Division of Forensic Services;
• 2008 Performance Audit of the Department of Healthcare and Family Services’ Prompt Payment Act Compliance and Medicaid Payment Process;
• 2007 Performance Audit of the Mass Transit Agencies of
• 2006 Management Audit of the Flu Vaccine Procurement and the I-SaveRx Program;
• 2004 Management and Program Audit of the Rend Lake Conservancy District;
• 2003 Management Audit of the Illinois State Toll Highway Authority;
• 2002 Management Audit of Agency Use of Internet User Tracking Technology;
• 2001 State Board of Education and Other State Agencies Providing Funding to Illinois’ Regional Offices of Education;
• 2000 Management Audit of Child Support State Disbursement Unit;
• 1999 Management Audit of the Pilsen Little Village Community Mental Health Center; and
• 1998 Management Audit of Tuition and Fee Waivers.
PERFORMANCE AUDITS COMPLETED IN 2021
Auditor General released six performance audits and three reviews in 2021. The performance audits released are listed below. Performance audits released in 2021 included 61 recommendations for improvement.
DHS OFFICE OF THE INSPECTOR GENERAL
The Department of Human Services Act requires the Office of the Inspector General (OIG) to investigate allegations of abuse and neglect that occur in mental health and developmental disability facilities operated by the Department of Human Services (DHS). The Act also requires the OIG to investigate allegations of abuse and neglect that occur in community agencies licensed, certified, or funded by DHS to provide mental health and developmental disability services.
For FY20, there were a total 518 community agencies with 4,401 program sites that were under the investigative jurisdiction of the OIG. In addition, there were also 14 State-operated facilities under the investigative jurisdiction of the OIG.
OIG investigators in many cases are responsible for hundreds of program sites covering large areas of the State, as well as 14 State-operated facilities.
In this audit we reported that:
• There is an overall correlation between the increase in the total number of allegations and the worsening of case completion timeliness.
• From FY10 to FY18 the total number of allegations reported at community agencies has increased by 1,200 (1,500 to 2,700) or 80 percent.
During the same time period, the total allegations at State-operated facilities has increased at a much slower rate. From FY10 to FY18 the total number of allegations reported at State-operated facilities increased by 205 (967 to 1,172) or 21 percent.
• For FY18, FY19, and FY20, community agency allegations accounted for 70 percent, 68 percent, and 67 percent of all reported allegations of abuse or neglect, respectively.
• According to OIG data, during FY20 it took an average of 117 working days (or 170 calendar days) to complete an investigation.
• For FY18, FY19, and FY20, the percentage of cases completed within 60 working days was 44 percent, 38 percent, and 45 percent, respectively.
• There are no investigative completion timeliness standards for the OIG in statute or administrative rule. Only OIG’s directives contain a 60 working day completion requirement for investigations.
• OIG case reports we reviewed generally were thorough, comprehensive, and addressed the allegation.
This audit report contained a total of 16 recommendations to the OIG and DHS. The OIG and DHS generally agreed with the recommendations in the report.
DEPARTMENT OF CHILDREN AND FAMILY SERVICES’ LGBTQ YOUTH IN CARE
Senate Resolution Number 403, adopted May 31, 2019, directed the Auditor General to conduct a performance audit of the Department of Children and Family Services' (Department) compliance with its obligations to protect and affirm children and youth who are lesbian, gay, bisexual, transgender, questioning, or queer.
Overall the audit found that there is a lack of reliable and consistent information regarding LGBTQ youth in the care of the Department. Further, although the Department has established policies and procedures to ensure the well-being of LGBTQ youth in care, the Department did not implement all of these procedures or the procedures were not implemented in a timely manner. We also found that there is a lack of monitoring and oversight of private agency compliance with these procedures.
In this audit, we also reported that:
• The Department does not have a formal process in place to identify youth in care that may identify as
• The Department utilizes outdated, inadequate, or non-existent computer systems to track youth in care and particularly LGBTQ youth in care.
• The Department is not ensuring that caseworkers review the Foster Children's Bill of Rights with youth in care as is required.
• The Department did not implement training requirements in a timely manner.
• The Department failed to monitor the requirements of Appendix K including whether purchase of service (POS) agencies have adopted policies that are at least as extensive as Appendix K.
• The Department does not require licensed foster parents to commit to provide care and homes that are affirming of all children and youth, regardless of sexual orientation or gender identity as part of the licensing process.
• LGBTQ status was taken into consideration for some placements. However, the Department is not utilizing its Child/Caregiver Matching Tool in most cases.
• The Department has taken some steps to recruit LGBTQ affirming foster parents by holding events specifically to recruit LGBTQ affirming parents. However, there was no evidence that these efforts have led to more LGBTQ affirming foster homes.
• The number of emergency shelter beds in Illinois decreased dramatically between FY15 and FY19, leaving some areas of the State with no beds for youth in crisis.
• The Department is not providing accurate and complete information to the General Assembly in the required Youth in Care Waiting for Placement annual reports.
The audit report contained a total of 16 recommendations to the Department. The
Department generally agreed with the recommendations in the report.
ILLINOIS POWER AGENCY – FUTURE ENERGY JOBS ACT
On July 21, 2020, the Legislative Audit Commission adopted Resolution Number 153, which directed the Office of the Auditor General to conduct a performance audit of the Illinois renewable portfolio standard and the Illinois Power Agency’s (IPA) management of the Renewable Energy Credit procurement process and Adjustable Block Program.
The Illinois Power Agency was established in 2007 by Public Act 95-481. The IPA is required to ensure that the procurement of power in Illinois is conducted in an ethical and transparent manner to ensure that its mission to secure power at the best prices the market will bear is not impeded. The IPA was established to serve the people of Illinois by administering electricity and renewable resources planning and procurement processes for Ameren
Illinois Company, Commonwealth Edison Company, and MidAmerican Energy Company.
The audit found:
• Illinois has not met the percentage-based renewable energy goals identified in the Illinois
Power Agency Act. IPA officials stated that procured renewable energy as a percentage of the overall energy produced would be about 10 percent for 2019. However, Section 1-75(c)(1)(B) of the Illinois Power Agency Act requires the procurement of renewable energy credits to be at least 16 percent of the overall electricity produced by June 1, 2019, which suggests that the dollars may not have been maximized. According to IPA officials, the IPA had proposed in the 2018 Long-Term Renewable Resources Procurement Plan annual procurements designed to meet the percentage-based goals; however, the ICC in approving that Plan did not approve those annual procurements. That decision shifted the focus of the IPA’s authorized procurements away from meeting the percentage goals and focused only on meeting the quantitative targets for new wind and solar. However, since the percentage-based goals are not being met, it likely means that future renewable energy goals will not be able to be met timely.
• There are two ways in which renewable energy projects are procured: (1) competitively and (2) through the Adjustable Block Program. Auditors concluded the process in place was both efficient and maximized the dollars spent to increase the renewable portfolio standard in Illinois for the competitive procurement process. However, auditors could not find criteria to use to determine whether funds were maximized or whether they were spent efficiently for the Adjustable Block
The audit report contained one recommendation directed to the Illinois Power Agency. The IPA agreed with the recommendation.
VENDOR PAYMENT PROGRAM
Public Act 100-1089, effective August 24, 2018, amended the State Prompt Payment Act to codify the
Vendor Payment Program (Program). The Public
Act also required the Auditor General to conduct a performance audit of the Program that included a review of the administration of the Program and compliance with requirements applicable to participating vendors, qualified purchasers, qualified accounts receivable, and financial backer disclosures. The audit covered the Program's operations for fiscal years 2019 and 2020.
The Program was developed so that vendors awaiting payment by the State could assign their receivables and any accompanying prompt payment interest, in exchange for immediately receiving payment for 90 percent of the receivable and ultimately receiving 100 percent.
The Department of Central Management Services (CMS) and the Illinois Office of the Comptroller (IOC) administer the Program which, during FY19 and FY20, consisted of five qualified purchasers who purchased over $2.1 billion in receivables. The State paid the five qualified purchasers over $352 million in prompt payment interest penalties during FY19 and FY20.
The audit found:
• CMS and the IOC, while having authority to administer the Program, do not have any agreement that details the responsibilities of each agency in administering the Program.
• CMS failed to document the application periods for those entities seeking to become qualified purchasers in the Program. The failure led CMS to inform an Illinois-based minority-owned firm that attempted to become a potential qualified purchaser that the application period was closed. However, CMS subsequently approved four other qualified purchasers over the next three months immediately following this communication.
• The selection of qualified purchasers for the Program is an important decision that should be guided by sound criteria. While CMS identified criteria for selection, that criteria was not consistently followed. In addition, CMS could not tell us who specifically made the decisions to approve entities seeking to become qualified purchasers and CMS had not maintained documentation to support how qualified purchasers for the Program were selected. Furthermore, from what documentation is available, it appears CMS allowed and facilitated the purchase of receivables by a qualified purchaser that did not have all formalized documentation submitted for selection to the Program.
• CMS and the IOC have not enforced Program Terms relative to Deferred Payment Reserve Accounts for the Program.
• CMS and the IOC allow qualified purchasers to submit financial backer disclosures after the fact. Disclosures due July 1, 2020, had yet to be published by CMS by March 31, 2021. The IOC published the disclosures on March 31, 2021.
Therefore, the public had 639 days of not knowing who was providing financial backing for qualified purchasers participating in the Program. We found that disclosures were not always filed timely and that CMS and the IOC do not know whether the disclosures are accurate.
• While the IOC allows State vendors to receive payments electronically, qualified purchasers under the Vendor Payment Program (Program) do not have the same opportunity. Qualified purchasers reported over $7.2 million in payments made under the Program were mailed to a party other than the qualified purchaser. We found payments mailed to: an incorrect qualified purchaser; an incorrect sub-participant; and the vendor as opposed to the qualified purchaser.
• CMS and the IOC have not taken the necessary actions to confirm that all qualified purchasers have complied with the monthly reporting requirements for the Program. This has resulted in missing data on the monthly reporting that occurred during FY19 and FY20. Additionally, the guidance on what should be reported is inconsistent with the directives from the State
Prompt Payment Act.
• CMS allowed qualified purchasers in the Program to submit, for approval and acknowledgment, receivables which were not yet eligible under the State Prompt Payment Act.
• CMS and the IOC have allowed qualified purchasers to operate the payment process under the Program in violation of the Program Terms. This can result in one qualified purchaser having a competitive advantage over another if its payment terms are more generous than another qualified purchaser.
• CMS and the IOC did not enforce Program Terms when they allowed participating vendors to sell receivables among different qualified purchasers.
• The IOC does not have a plan for payment of interest penalties under the Program. This lack of a plan has resulted in delayed payments which has a negative impact on both qualified purchasers and
State vendors. In our sample of interest payments during FY19-FY20, payments were made between
0 and 547 days from when the State agencies requested the payments.
The audit report contained 11 recommendations directed to CMS and the IOC. CMS agreed with the recommendations. The IOC largely disagreed with the recommendations.
PRESCRIPTION MONITORING PROGRAM
On July 21, 2020, the Legislative Audit Commission passed Resolution Number 154 directing the Office of the Auditor General to conduct a performance audit of the Illinois Prescription Monitoring Program (ILPMP) operated by the Department of Human Services (DHS).
According to DHS, the mission of the ILPMP is to provide prescribers, dispensers, and health providers with the ability to view their current or prospective patient’s controlled substance prescriptions dispensed in Illinois. The ILPMP utilizes an electronic database to collect, store, and access prescription information.
A Prescription Monitoring Program (PMP) continues to be among the most promising state-level interventions to improve opioid prescribing, inform clinical practice, and protect patients at risk.
The audit found:
• Of the 50 states, 49 had a statewide PMP during this review. Most states (84%) used a single contractor to perform all four functions associated with a statewide PMP. Illinois, however, was one of only three states that utilized multiple contractors while performing some functions in-house.
• DHS had not fully implemented the ILPMP by the required dates. DHS was required to establish rules requiring all Electronic Health Record (EHR) systems to interface with the ILPMP and establish actions to be taken if a prescriber’s EHR did not effectively interface, as required. This interfacing would ensure all providers have access to patient records. Although rules on EHRs were established late, DHS could not provide the percent of EHRs that had been interfaced by the required date of January 1, 2021. According to DHS, they have no way of knowing when all EHRs would be fully interfaced, as required.
• The Illinois Controlled Substances Act requires all licensed prescribers to register with the ILPMP as of January 1, 2018. However, as of December 2020, only 68 percent of prescribers were registered.
• Not all dispensers are providing data on the dispensing of controlled substances to the ILPMP, as required. DHS is not conducting follow-up with these dispensers to ensure they provide data or to determine why they are not providing data. The Act gives DHS the ability to impose fines for willfully failing to report the dispensing of a controlled substance. However, according to DHS, no fines have been imposed.
• Dispensers are required to submit information on dispensed controlled substances by the end of the next business day. Since the required dispensed date is not being submitted by dispensers or tracked by DHS, DHS has no way of calculating if dispensers are submitting information in a timely manner.
• During a review of general IT controls, our IS auditors found the ILPMP data, as well as reporting with respect to that data, cannot be relied upon. The review found deficiencies in the areas of contractual services, business processes, change control, disaster recovery, and security. We also tested 60 prescription records for compliance with the Act and Administrative Code. Of the 60 prescription records reviewed, all (100%) contained missing or inaccurate information.
Other specific issues with the data included the following:
• Regarding license numbers, there were entries with:
▪ No license number;
▪ Only one letter or one number in place of the license number;
▪ The word “test” in place of the license number; and
▪ Alpha and numeric values which do not comprise a license number.
• Once the user’s license is initially validated, it is not revalidated to ensure continued validation. Of the 48,818 user accounts, there were 19,501 users that appear to have never logged in. In addition, there were 3,928 accounts with a last login date of more than 12 months.
• For the last 12 months of active data provided by DHS (17,075,814 prescription records):
▪ 273,923 records were for prescriptions filled prior to the time period requested;
▪ 67,520 records contained an animal species code; and
▪ 465 records contained a birthdate with an age over 110.
▪ DHS was also not ensuring all users with access rights to the ILPMP database had valid licenses. Through a comparison with Department of Financial and Professional Regulation (DFPR) licensing data, we identified 2,287 registered users without a valid license.
• DHS had not established an interagency agreement with DFPR to ensure ILPMP licensing data did not contain invalid or outdated information. DHS had also not established a process with the Department of Public Health (DPH) to conduct data reviews of sports and accident injuries, as required by the Act.
• Although the ILPMP Policies and Procedures Manual covers significant procedures such as data security and law enforcement requests, the Manual is outdated. This outdated Manual supports that DHS has not established general IT controls over the data and needs to be updated to ensure these procedures are effectively implemented.
The audit report contained ten recommendations directed to DHS and one recommendation directed to DHS and DPH. DHS and DPH agreed with the recommendations.
FOID CARD/CONCEALED CARRY LICENSE
On July 21, 2020, the Legislative Audit Commission adopted Resolution Number 155 requiring a management audit of the Illinois State Police’s administration of the Firearm Owners Identification Card Act (430 ILCS 65) and the Firearm Concealed Carry Act (430 ILCS 66) for 2018 and 2019. The Resolution contained eight determinations.
Illinois residents are required by the Firearm Owners Identification Card Act to have a valid Firearm
Owner’s Identification card in order to possess or purchase firearms or ammunition. The Act originally became effective in 1968.
The Firearm Concealed Carry Act, effective July 2013, allows an individual to carry a handgun on or about a person completely or mostly concealed from view of the public or on or about a person within a vehicle.
The audit found:
• The current Firearm Owner’s Identification
(FOID) card and Concealed Carry License (CCL) application processes are labor intensive with some steps being completed multiple times for the same application. While some checks, such as those for mental health, are run daily by data match, others, such as checking for matching information with the Illinois Secretary of State, are completed manually by an Illinois State Police Firearms Eligibility Analyst. There is also significant overlap between the FOID and CCL application processes as they contain many of the same steps. Further, the new and renewal application processes also contain similar steps.
• According to Illinois State Police (Department) officials, there are over 40 steps an application must go through before an eligibility determination is made. These steps include both electronic and manual checks to confirm information and determine eligibility. If a match/hit is identified that may prohibit an applicant from possessing a
FOID card or CCL, a Firearms Eligibility Analyst must manually resolve the issue. Having a process that relies heavily on Firearms Eligibility Analysts manually completing steps that could be conducted via an electronic matching process is inefficient and vulnerable to potential mistakes or oversights. Manually verifying information that could be automated slows the time it takes to process applications.
• The number of FOID and CCL applications increased substantially from 2018 to 2019 driven by an increase in renewal applications.
▪ FOID renewal applications increased from 106,862 in 2018 to 146,912 in 2019 or 37.5 percent.
▪ CCL renewal applications increased from 6,341 in 2018 to 61,253 in 2019 or 866.0 percent.
▪ Overall, very
few FOID or CCL applications were denied. For applications received during the
two-year period 2018-2019, there were 20,642 FOID applications denied (3.6%).
The most common reasons for denial were felony convictions (26.5%), mental
health matters (20.3%), and crimes punishable by imprisonment for a term exceeding
one year (18.1%). For the same period, there were 2,438 CCL applications denied
(1.5%). The most common reasons for denial were danger to self or others (45.5%)
and not having a valid FOID card (30.4%).
• The timeliness of processing FOID and CCL applications decreased significantly from 2018 to 2019. Overall, 79.5 percent of FOID applications received during the two-year period were processed within the statutorily required timeframes. However, the percentage of FOID applications processed within statutorily required timeframes dropped from 87.1 percent in 2018 to 72.9 percent in 2019. For Concealed Carry Licenses, overall 64.5 percent of applications submitted in 2018 and 2019 were processed within the statutorily required timeframes. However, the percentage of applications that were processed timely dropped from 93.4 percent in 2018 to only 48.2 percent of applications submitted in 2019.
• The increase in the number of applications that were not processed timely was due primarily to the applications not being started in a timely manner.
▪ In 2018, there was an average 15 day delay to begin processing a FOID application which increased to 22 days in 2019.
▪ For FOID renewals in 2018, there was an average 19 day delay to begin processing the renewal which increased to 46 business days in 2019.
• There were a total of 19,275 FOID cards revoked during 2018 and 2019. The most common prohibitor categories were for mental health and Order of Protection/Restraining Order. The majority of revoked FOID cards are not returned to the Department as is required and a Firearm Disposition Record showing that the weapons had been transferred to someone else was filed in only about one-third of cases. The percentage of revoked FOID cards that were returned to the Department was 44.8 percent in 2018 and 45.8 percent in 2019.
• There were a total of 9,566 Concealed Carry Licenses revoked during 2018 and 2019. The most common prohibitor was Inactive FOID Card at 81.5 percent of all prohibitors. The percentage of licenses returned dropped from 22.4 percent in 2018 to 14.4 percent in 2019.
The audit report contained six recommendations directed to the Illinois State Police. The Department agreed with the recommendations.
REGIONAL OFFICES OF EDUCATION AUDITS
In addition to other duties, the Auditor General has the responsibility for annual audits of the financial statements of the regional superintendent of schools of each educational service region in the State.
There were a total of 38 Fiscal Year 2020 audits the Performance Audit Division had the responsibility for: 35 of Regional Offices of Education (ROEs) and 3 of Intermediate Service Centers (ISCs). Our Office arranged for auditing firms to perform these audits under the general direction and management of the Auditor General’s audit managers.
The FY20 ROE audits released in 2020-2021 contained a total of 48 recommendations for improvement. Most of the recommendations dealt with the ROEs not having sufficient internal controls including controls over their financial reporting processes.
PERFORMANCE AUDITS IN PROGRESS
DCFS CHILD SAFETY AND WELL BEING
Public Act 101-0237 was enacted on August 9, 2019, and it amended both the Children and Family Services Act (20 ILCS 505) and the Abused and Neglected Child Reporting Act (325 ILCS 5). The Public Act also directed the Auditor General to conduct a performance audit one year after the effective date of January 1, 2020. The audit is to determine if the Department of Children and Family Services (DCFS) is meeting the requirements of the Public Act. Within two years of the audit’s release, the Auditor General is to conduct a follow-up performance audit in order to determine if DCFS has implemented the recommendations within the initial performance audit.
MEDICAID LONG-TERM CARE ELIGIBILITY DETERMINATION AUDIT
On August 25, 2017, the Governor signed into law Public Act 100-380 which amended the Public Aid Code. This amendment to the Public Aid Code requires the Auditor General to report every three years to the General Assembly on the performance and compliance of the Department of Healthcare and Family Services (HFS), the Department of Human Services (DHS), and the Department on Aging in meeting the requirements placed upon them by Section 11- 5.4 of the Public Aid Code and federal requirements concerning eligibility determinations for Medicaid long term care services and supports. This is the second audit conducted.
The audit is to, at a minimum, review, consider, and evaluate the following:
• Compliance with federal regulations on furnishing services as related to Medicaid long-term care services and supports as provided under 42 CFR 435.930 – i.e., furnish Medicaid promptly to beneficiaries without any delay caused by the agency’s administrative procedures;
• Compliance with federal regulations on the timely determination of eligibility as provided under 42 CFR 435.912 – i.e., the determination of eligibility for any applicant may not exceed: (i) Ninety days for applicants who apply for Medicaid on the basis of disability; and (ii) Forty-five days for all other applicants;
• The accuracy and completeness of the report required under paragraph (9) of subsection (e) – i.e., monthly reports posted to the DHS and HFS websites on the applications and redeterminations pending long-term care eligibility determination and admission and the number of appeals of denials in given categories;
• The efficacy and efficiency of the task-based process used for making eligibility determinations in the centralized offices of the Department of Human Services for long-term care services, including the role of the State’s integrated eligibility system, as opposed to the traditional caseworker-specific process from which these central offices have converted; and
• Any issues affecting eligibility determinations related to the Department of Human Services’ staff completing Medicaid eligibility determinations instead of the designated single-state Medicaid agency in Illinois, the Department of Healthcare and Family Services.
LASALLE VETERANS’ HOME
On April 28, 2021, the Illinois House of Representatives adopted House Resolution Number 62, which directed the Office of the Auditor General to conduct a performance audit of the State's response to the management of the COVID-19 outbreak at the LaSalle Veterans’ Home. The audit was to specifically include, but not be limited to, the following determinations:
1. The response of the Department of Veterans’ Affairs to the outbreak of COVID-19 in 2020 at the LaSalle Veterans’ Home, including the recommendations made in the November 13, 2020 site visit by the Illinois Department of Public Health (IDPM) and the Department's actions to address those recommendations;
2. The type, cost, and timing of any infrastructure or other building improvements intended to contain the further spread of COVID-19 or prevent its reoccurrence at the LaSalle Veterans’ Home;
3. The nature of changes made by the Department in operating protocols and staff training thereon, intended to contain the further spread of COVID-19 or prevent its reoccurrence at the LaSalle Veterans’ Home;
4. The nature and extent of monitoring conducted by the Department to determine whether the improvements and protocols put in place are effective to ensure the safety of residents and staff at the LaSalle Veterans’ Home;
5. The amount of State moneys received and the amount of State moneys expended by IDPH or any other State agency during State fiscal years 2020 and 2021 to address the COVID-19 outbreaks at the LaSalle Veterans’ Home; and
6. To the extent information is available, whether the LaSalle Veterans’ Home has been the subject of any reviews since 2015 to determine its compliance with applicable laws and regulations with regard to the care of its residents and, if so, the results of those reviews.
ILLINOIS DEPARTMENT OF EMPLOYMENT SECURITY’S UNEMPLOYMENT PROGRAMS
On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 158, which directed the Office of the Auditor General to conduct a performance audit of the unemployment programs administered by the Illinois Department of Employment Security during the period of March 1, 2020 and September 6, 2021. The audit was to specifically include, but not be limited to, the
1. A review of the application and review processes and the payment of benefits to individuals focusing on any fraud or inefficiencies which could be eliminated to contain costs and improve the delivery of benefits to eligible individuals;
2. To the extent feasible, a detailed account of the funds allegedly disbursed to ineligible and/or fraudulent claimants;
3. The types of unemployment fraud schemes the Illinois Department of Employment Security has experienced and what steps and procedures it has taken to detect and respond to fraudulent unemployment claims and whether it has cooperated with the Illinois Attorney General or federal authorities to detect, counter, and prosecute potentially fraudulent cases;
4. Whether the
Illinois Department of Employment Security has complied with all State and
federal statutory and administrative requirements for processing and auditing
5. An examination of the Illinois Department of Employment Security’s decision not to implement additional fraud-prevention tools in April 2020 as recommended by the federal government and a report on whether the State has, since that time, come into compliance with federal recommendations;
6. What factors caused and continue to cause delays in the Illinois Department of Employment Security’s processing of unemployment claims, looking particularly at administrative decisions, technology, and staffing, and what steps the
Illinois Department of Employment Security has taken to alleviate these delays;
7. What third-party contractors did the Illinois Department of Employment Security utilize during this time period and were any of these contracts no-bid contracts; did a third-party contractor calculate weekly benefit amounts for Pandemic Unemployment Assistance claimants and, if so, were there any procedures to verify the accuracy of their calculations; did third-party contractors meet the performance measure established by the Illinois Department of Employment Security prior to the issuance of the contracts; and
8. A summary of the average case processing time, the timeliness of benefit payments, and the accuracy of these payments.
BUSINESS INTERRUPTION GRANT PROGRAM
On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 159, which directed the Office of the Auditor General to conduct a program audit of the Business Interruption Grant (BIG) program for the period March 2020 to July 2021. The audit was to specifically include, but not be limited to, the following determinations:
1. An examination of the application process, the documentation submitted, and the selection of grants by DCEO, DHS, and DOA for the BIG program;
2. An examination of the monitoring oversight by DCEO, DHS, and DOA for grant recipients including whether all eligibility requirements were satisfied and expenses submitted were allowable;
3. An examination of how DCEO allocated funding in the BIG program to disproportionately impacted areas and whether the allocation was at least 30 percent of total funding;
4. An examination of DCEO compliance with prioritizing severely impacted businesses and industries;
5. An examination of the role of the Community Navigators, if any, in the selection of grant recipients in the BIG program; and
6. An examination of the actions taken by DCEO, DHS, and DOA when a BIG participant was not in compliance with any step in the application process or made a material misrepresentation in reporting on the use of funds provided as part of the BIG program.
IDOT’S DISADVANTAGED BUSINESS ENTERPRISE CERTIFICATION PROGRAM
On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 160, which directed the Office of the Auditor General to conduct a performance audit of the Illinois Department of Transportation's certification of businesses as DBEs (Disadvantaged Business Enterprise) through the Illinois Unified Certification Program (IL UCP). The audit was to specifically include, but not be limited to, the following determinations:
1. Whether certification and recertification procedures are adequate to assure that businesses certified by IDOT in the IL UCP are legitimately classified as businesses owned and controlled by minorities, females, or persons with disabilities;
2. Whether the established procedures and processes that govern certification of businesses owned and controlled by minorities, females, or persons with disabilities are being followed;
3. Whether staff responsible for certification of these businesses have received adequate training;
4. What steps are followed to verify information provided by businesses certified by IDOT in the IL UCP, such as review of pertinent documentation, interviews, and on-site visits;
5. Whether the certifications are periodically reviewed to ensure that businesses in the program continue to be qualified for participation;
6. Whether procedures for enforcing compliance with federal regulations, including contract termination and contractor suspension, are adequate and uniformly enforced; and
7. Whether recent DBE goals established by IDOT have been met.
REGIONAL OFFICES OF EDUCATION
Since 2002, the School Code (105 ILCS 5/2-3.17a) has required the Auditor General’s Office to conduct annual audits of the financial statements of all accounts, funds, and other moneys in the care, custody, or control of the regional superintendent of schools of each educational service region in the State. For Fiscal Year 2021, a total of 38 audits are to be performed.
OAG FRAUD HOTLINE
The Auditor General’s Office is required by law [30 ILCS 5/2-15, added by P.A. 97-261, effective August 5, 2011] to operate a toll-free fraud hotline for the public to report allegations of fraud in the executive branch of State government. The hotline went into operation at the beginning of January 2012.
The toll free number is 1-855-217-1895. The hotline is available 24 hours a day, 7 days a week. Live operators are generally available Monday-Friday from 8:00 a.m. to 4:00 p.m. (CST).
In addition to calling the toll-free number, other options have been established for the public to report allegations of fraud. The public may also:
• Complete the Fraud Reporting Form on-line located on the OAG web-site (www.auditor.illinois.gov);
• E-mail a description of the allegation to: Hotline@auditor.illinois.gov;
• Contact the Auditor General via telecommunications device for the disabled (TTY) at 1-888-261-2887; or
• Send a written report via the U.S. Postal Service to the following address:
Fraud Hotline, Auditor General’s Office, 740 E. Ash St., Springfield, IL 62703.
Individuals reporting alleged fraud to the hotline may remain anonymous. However, if the individual chooses not to be identified, the Office’s ability to follow up on the allegation may be limited.
More information regarding the reporting of fraud allegations can be found at the Fraud Hotline section of the OAG website. Jurisdiction of the Fraud Hotline does not include the legislative or judicial branches of government, nor units of local government. Other resources the public may use to report fraud if it is outside of the jurisdiction of the OAG can also be found on the website. Even if the Auditor General’s Office does not have jurisdiction over the allegation, our hotline manager will try to direct the caller to another State, federal, or local agency that may be able to help.
The Information Systems Audit Program
Computers are an integral part of State government, processing billions of dollars in financial transactions each year and helping control the operations of State agencies. Since financial transactions and confidential information are processed using computers, audits of information system activities are necessary to ensure that computer processing is secure and accurate.
TESTING CONTROLS AND SYSTEMS
The Auditor General’s office plans to continue to emphasize the review of information system controls at State agencies. In 2021, we performed information system reviews at the following agencies:
Capital Development Board, Chicago State University, Department of Children and Family Services, Department of Corrections, Department of Employment Security, Department of Financial and Professional Regulation, Department of Healthcare and Family Services, Department of Human Services, Department of Innovation and Technology, Department of Insurance, Department of Juvenile Justice, Department of Revenue, Department of Transportation, Environmental Protection Agency, Illinois Racing Board, Illinois State Police, Illinois State University, Legislative Information System, Northern Illinois University,
Office of the Comptroller, Southern Illinois University, State Fire Marshal, and University of Illinois.
To enhance the control environment, the Auditor General has emphasized the review of cybersecurity, networks, access rights, and the security and control of confidential information. These reviews have focused on the necessity of establishing consistent and effective security policies and programs, performing comprehensive risk assessments, and implementing comprehensive security techniques on all computer systems.
Twelve agencies — Department of Children and Family Services, Department of Healthcare and Chicago State University, Family Services, Department of Human Services, Department of Innovation and Technology, Department of Veterans’ Affairs, Governors State University, Illinois State Police, Illinois State University, Northeastern Illinois University, Southern Illinois University, and University of Illinois — had not established adequate controls for securing their computer resources. We recommended that these agencies evaluate their computer environments and ensure adequate security controls and policies exist to safeguard computer resources.
Five agencies — Department of Lottery, Department of Military Affairs, Department of Natural Resources, Northeastern Illinois University, and Southern Illinois University — had not completed all requirements to demonstrate full compliance with the Payment Card Industry Data Security Standards. We recommended that these agencies at least annually, assess each program accepting credit card payments, review and validate its environment, and ensure agreements with service providers are current and maintained.
Fifteen agencies — Chicago State University, Department of Commerce and Economic Opportunity, Department of Corrections, Department of Employment Security, Department of Financial and Professional Regulation, Department of Healthcare and Family Services, Department of Human Services, Department of Innovation and Technology, Department of Transportation, Department of Veterans’ Affairs, Department on Aging, Environmental Protection Agency, Illinois Gaming Board, Illinois Racing Board, and Illinois State Police — had not implemented effective change management processes to ensure changes to computer applications were properly approved, tested, and documented. We recommended that these agencies develop and implement change management standards to ensure adequate oversight of all changes to computer applications.
Seventeen agencies — Department of Children and Family Services, Department of Commerce and Economic Opportunity, Department of Corrections, Department of Employment Security, Department of Financial and Professional Regulation, Department of Healthcare and Family Services, Department of Human Services, Department of Innovation and Technology, Department of Lottery, Department of Military Affairs, Department of Natural Resources, Department of Revenue, Department of Veterans’ Affairs, Illinois Community College Board, State Board of Education, State Employees Retirement System, and Western Illinois University — had not developed or implemented access provisioning policies to ensure access rights to computer systems were properly controlled. We recommended that these agencies develop and implement access provisioning policies to ensure access rights are approved, disabled timely, and periodically reviewed.
Twenty-five agencies — Chicago State University, Department of Central Management Services, Department of Children and Family Services, Department of Commerce and Economic Opportunity, Department of Corrections, Department of Employment Security, Department of Financial and Professional Regulation, Department of Healthcare and Family Services, Department of Human Services, Department of Innovation and Technology, Department of Juvenile Justice, Department of Veterans’ Affairs, Eastern Illinois University, Environmental Protection Agency, Illinois State Police, Illinois State University, Northeastern Illinois University, Northern Illinois University, Office of Comptroller, Railsplitter Tobacco Settlement Authority, Southern Illinois University, State Appellate Defender, State’s Attorneys Appellate Prosecutor, State Board of Education, and Western Illinois University — did not perform and document internal control reviews of all external data processing related service providers. We recommended that these agencies obtain or perform independent reviews of internal controls associated with service providers at least annually.
Fifteen agencies — Chicago State University, Department of Children and Family Services, Department of Corrections, Department of Employment Security, Department of Healthcare and Family Services, Department of Human Services, Department of Innovation and Technology, Department of Juvenile Justice, Department of Natural Resources, Department of Veterans’ Affairs, Department on Aging, Environmental Protection Agency, Illinois State Police, Illinois State University, and Northeastern Illinois University — had not adequately developed or tested recovery plans to provide for continuation of critical computer operations in the event of a disaster. We recommended that these agencies develop and test disaster contingency plans.
Public Act 100-914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of
January 1, 2019.
Sec. 3-2.4. Cybersecurity audit.
(a) In conjunction with its annual compliance examination program, the Auditor General shall review State agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information.
(b) The review required under this Section shall, at a minimum, assess the following:
(1) the effectiveness of State agency cybersecurity practices;
(2) the risks or vulnerabilities of the cybersecurity systems used by State agencies;
(3) the types of information that are most susceptible to attack;
(4) ways to improve cybersecurity and eliminate vulnerabilities to State cybersecurity systems; and
(5) any other information concerning the cybersecurity of State agencies that the Auditor General deems necessary and proper.
(c) Any findings resulting from the testing conducted under this section shall be included within the applicable State agency’s compliance examination report... .
To address the amendment, on the compliance examinations for the period ended June 30, 2020 we did the following:
• Updated the Compliance Audit Guide to include specific questions concerning cybersecurity practices, policies and procedures, training, roles and responsibilities, risk assessments, and data classifications. In addition, we provided guidance to assist audit staff and contractors in obtaining and reviewing documentation to support responses.
• Performed detailed testing at 23 agencies considered higher risk as part of the June 30, 2020 compliance examinations. We provided these agencies with detailed information regarding our analysis and, if appropriate, we developed findings.
As a result of our process for June 30, 2020 examinations, we identified significant weaknesses at 24 agencies: Capital Development Board, Chicago State University, Department of Children and Family Services, Department of Commerce and Economic Opportunity, Department of Corrections, Department of Financial and Professional Regulation, Department of Innovation and Technology, Department of Military Affairs, Department of Natural Resources, Department of Revenue, Department of Transportation, Department on Aging, Environmental Protection Agency, Governors State University, Illinois State Police, Illinois State University, Legislative Information System, Northeastern Illinois University, Northern Illinois University, Office of Attorney General, Office of Comptroller, Prisoner Review Board, Southern Illinois University, and University of Illinois.
To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they:
• Establish and document cybersecurity roles and responsibilities.
• Establish and communicate policies, procedures and processes to manage and monitor the regulatory, legal, environmental and operational requirements.
• Perform a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.
• Classify data to establish the types of information most susceptible to attack to ensure adequate protection.
• Ensure all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.
• Evaluate and implement appropriate controls to reduce risk of attack.
We will continue to review cybersecurity programs and practices in our June 30, 2021 compliance examinations.
Agency officials generally concurred with our recommendations concerning these issues.
The information systems audit staff also reviewed and tested the systems and procedures at the Department of Innovation and Technology. We released three System and Organization Control (SOC) Reports regarding the Department’s control environment.
Information Technology Hosting Services
The Department provides Information Technology Hosting Services for approximately 106 user agencies.
This SOC Report contained a modified opinion as a result of:
• The Department did not ensure its controls over the Information Technology Hosting Services operated effectively.
Information Technology Shared Services
The Department provides Information Technology Hosting Services for approximately 106 user agencies.
This SOC Report contained a modified opinion as a result of:
• The Department did not ensure its controls over the Information Technology Shared Services operated effectively.
State of Illinois, Enterprise Resource Planning System
The Enterprise Resource Planning System is utilized by approximately 57 user agencies.
This SOC Report contained a modified opinion as a result of:
• The Department did not ensure its controls over the State’s Enterprise Resource Planning System operated effectively.
As a result of the modified opinions, auditors of these agencies will likely modify the agency-level risk assessments to accommodate the additional risk to agencies and perform additional procedures to properly address these risks.
Department officials accepted the recommendations in the SOC reports.
Other Office Responsibilities
ANNUAL AUDIT ADVISORY
Every year, the Auditor General’s Office distributes an Illinois Audit Advisory to all State agencies for the purpose of sharing information that may make their operations more efficient and effective, and increase compliance with State law. Copies of this audit advisory are available on our website at: www.auditor.Illinois.gov.
COMPTROLLER’S ACCOUNTING SYSTEM REVIEW
The Auditor General is required by law to annually review the Comptroller’s Statewide accounting system. This review is accomplished through the Office’s audit of the State Comptroller, and by ensuring that all agency audits are performed in accordance with the Auditor General’s Audit Guide.
In addition, the Auditor General annually reviews the State Comptroller’s pre-audit function. Pre-audit is the primary control over expenditure voucher processing. The State Comptroller pre-audits financial transactions to determine if they are proper and legal.
Peer review is an external quality control review conducted every three years by audit professionals from across the United States who are selected by the National State Auditors Association. The peer review helps to ensure that our procedures meet all required professional standards, comply with Government Auditing Standards, and produce reliable products for the agencies we audit.
The September 2020 peer review of the Auditor General’s audit processes resulted in an unmodified (clean) opinion. Additionally, the peer review team did not note any deviations from professional standards that would have required a written letter of comments. Our prior peer reviews, conducted in 1996, 1999, 2002, 2005, 2008, 2011, 2014 and 2017 likewise resulted in unmodified opinions. Our next peer review is slated for 2023.
Public Act 97-694, effective June 18, 2012, directed the Auditor General to “contract with or hire an actuary to serve as the State Actuary.” Among its duties, the State Actuary is required to “review assumptions and valuations prepared by actuaries retained by the boards of trustees of the State-funded retirement systems” and “issue preliminary reports...concerning proposed certifications of required State contributions submitted to the State Actuary by those boards.” [30 ILCS 5/2-8.1 (a) and (b)] In addition, Public Act 100-465, effective August 31, 2017, added a similar requirement for the State Actuary to review the Public School Teachers’ Pension and Retirement Fund of Chicago.
[40 ILCS 5/17-127(e)]
Through a competitive proposal process, the Auditor General awarded a contract in August 2012 to Cheiron, a full-service actuarial and consulting firm. Cheiron issued its preliminary reports to the public retirement systems in December 2020. As required by statute, the Auditor General submitted a written report to the General Assembly and Governor on December 23, 2020, documenting the initial assumptions and valuations prepared by the actuaries retained by the boards of trustees of the State-funded retirement systems, the State Actuary’s preliminary reports, and the responses of each board to the State Actuary’s recommendations.
The report is available in its entirety on our website at www.auditor.illinois.gov.
Continuing Professional Education and Training Requirements
The U.S. Government Accountability Office established Government Auditing Standards (the Yellow Book) for performing high-quality audit work with competence, integrity, objectivity, and independence to provide accountability and to help improve government operations and services.
The Yellow Book standard relating to competence specifies that management must assign auditors to conduct the engagement who collectively possess the competence needed to address the engagement objectives and perform their work in accordance with Generally Accepted Government Auditing Standards (GAGAS).
Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of continuing professional education (CPE) every 2 years. A minimum 24 hours of that CPE should be directly related to the government environment, government auditing, or the specific or unique environment in which the audited entity operates. The remaining 56 CPE hours should be in subject matter that directly enhances auditors’ professional expertise to conduct engagements. Auditors should complete at least 20 hours of CPE in each year of the 2-year period.
Auditors hired or assigned to a GAGAS engagement after the beginning of the 2-year CPE period may complete a prorated number of CPE hours.
Also, auditors who charge less than 20 percent of their time annually to engagements conducted in accordance with GAGAS but are not involved in planning, directing, or reporting on the engagement need only comply with the 24-hour requirement.
The most recently completed 2-year period for CPE requirements as measured by the Office of the Auditor General was January 1, 2019, through December 31, 2020. All auditors, audit directors, and information specialists required to meet the CPE standards were in compliance for this 2-year period and are in compliance with current CPE requirements.
Additionally, the Office of the Auditor General is a registered sponsor with the Illinois Department of Financial and Professional Regulation, and complies with the rules of the Illinois Public Accounting Act.
CLAIMS DUE THE STATE AND METHODS OF COLLECTION
As required by law [30 ILCS 205/2 (k)], the Office of the Auditor General is reporting that there were no outstanding claims administered by the Office that were due and payable to the State as of December 31, 2020. The accounts receivables generated by our Office primarily represent billings to other State agencies for reimbursement of audit costs. Reimbursements for federal single audits are deposited into the General Revenue Fund. Reimbursements for audits not associated with federal single audits are deposited or transferred to the Audit Expense Fund. If normal collection methods fail, we request assistance from the Office of the Attorney General. To date we have never used the services of a private collection agency.
SUMMARY OF APPROPRIATIONS AND EXPENDITURES
The Office of the Auditor General was funded by appropriations
from the General Revenue Fund and Audit
Expense Fund for Fiscal Year 2021 (July 1, 2020 to September 30, 2021, including lapse period).
FY 2021 - FINAL
(Appropriation; Expended; Balance)
Personal Services . . . . . . . . . . . . . . . . . . . . . . . .$6,525,700 . . . . . . . .$6,524,440 . . . . . . . . . . .$1,260
Social Security . . . . . . . . . . . . . . . . . . . . . . . . . . .$478,000 . . . . . . . . . .$475,352 . . . . . . . . . . .$2,648
Contractual Services . . . . . . . . . . . . . . . . . . . . . . .$603,000 . . . . . . . . . .$602,459 . . . . . . . . . . . . .$541
Commodities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$300 . . . . . . . . . . . . .$168 . . . . . . . . . . . . .$132
Paper and Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0
Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0
EDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0
Telecommunications . . . . . . . . . . . . . . . . . . . . . . . .$40,000 . . . . . . . . . . .$38,264 . . . . . . . . . . .$1,736
Operation of Automotive Equipment . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0 . . . . . . . . . . . . . . .$0
GRF Operations Total . . . . . . . . . . . . . . . . . . .$7,647,000 . . . . . . . .$7,640,683 . . . . . . . . . . .$6,317
Audit Expense Fund:
Audits/Studies/Investigations . . . . . . . . . . . . .$31,352,370 . . . . . . .$25,731,863 . . . . . . . .$5,620,507