Volume 22, 2016 Annual
AUDIT ADVISORY
Emerging and Potential Audit Issues
Frank J. Mautino, Auditor General
_______________________________________________________________________________
Auditor General Frank J. Mautino
The General Assembly appointed Rep. Frank J. Mautino as the Auditor General of Illinois for a ten-year term beginning on January 1, 2016. Mr. Mautino graduated from Illinois State University with a degree in marketing.
Mr. Mautino’s father, Richard Mautino, also served in the Illinois House of Representatives for 17 years. When his father passed away in 1991, Mr. Mautino was appointed to fill his position at age 29 and served for 24 years in the Legislature. Shortly thereafter, he married his wife Lena and they have three children.
Mr. Mautino comes from a family which has owned a beer distributorship in Spring Valley, IL since 1905. He started working for the company at age 14 and, after graduation, became a corporate brand manager with audit responsibilities.
In the General Assembly, Mr. Mautino served on the Appropriations Committee and went on to become the Deputy Majority Leader. He also served on the Agriculture, Insurance, Education, and Revenue committees, along with serving on the Economic and Fiscal Commission. For his last 12 years, he was the co-Chair of the Legislative Audit Commission where he reviewed approximately 2,000 audits.
Joining the OAG with Mr. Mautino is Dean Devert as Chief of Staff. Mr. Devert worked for 13 years at the Illinois Department of Transportation before joining the OAG.
_______________________________________________________________________________
CLOUD COMPUTING
Cloud computing is a type of computing that relies on sharing computing resources rather than having local servers or devices to handle applications. In other words, computing services are provided at remote data centers and shared among other entities.
Cloud computing decreases hardware, software, and maintenance costs for users as they access services through interface software, such as a Web browser, and the cloud provider furnishes the computing environment. Some of the popular cloud services include mail services such as Gmail, Hotmail, or Yahoo.
Many organizations, including state agencies, are implementing cloud computing solutions to improve performance and reduce costs. However, as computing services are outsourced (even to other state agencies), agencies still have the ultimate responsibility over the integrity and security of their data.
As data owners, an agency entering into the cloud computing arena should ensure an adequate service level agreement is in place. The agreement should include financial terms and address key system attributes such as:
• Security – the environment is protected against both physical and logical unauthorized access.
• Availability – the environment is available for operation and use as committed or agreed.
• Processing integrity – system processing is complete, accurate, timely, and authorized.
• Confidentiality – information designated as confidential is adequately protected.
Agencies should also obtain or perform independent reviews of internal controls associated with outsourced environments at least annually. Any exceptions from the internal controls review should be reviewed and assessed for risk.
_______________________________________________________________________________
DATA SECURITY ON STATE COMPUTERS
The Data Security on State Computers Act (20 ILCS 450) requires agencies to implement a policy to mandate all hard drives of surplus electronic data processing equipment be erased, wiped, sanitized, or destroyed in a manner which prevents the retrieval of both sensitive data and software before the drives are sold, donated or transferred.
The Act also requires a written certification to verify the overwriting process has been completed. The certification should document the following information:
(1) the serial number of the computer or other surplus electronic data processing equipment;
(2) the name of the overwriting software or physical destruction process used; and
(3) the name, date, and signature of the person performing the overwriting or destruction process.
In our effort to help ensure confidential or sensitive data is not exposed, we routinely test compliance with this Act in our Compliance examinations. To validate compliance, agencies should be able to produce the required certifications for any applicable surplus equipment.
This requirement also applies to agencies utilizing a DCMS authorized electronics recycling vendor to perform the data wipe. Agencies should ensure the data wipe was performed and have a certificate of destruction available for surplus equipment.
_______________________________________________________________________________
PERSONAL INFORMATION PROTECTION ACT
The Personal Information Protection Act (815 ILCS 530/) was amended by PA 99-503 and the new provisions are effective on January 1, 2017.
The updated Act expands the definition of personal information to include:
• Such information that was encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security.
• User name or email address, in combination with a password or security question and answer that would permit access to an online account.
• Medical information.
• Health insurance information.
• Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual.
We suggest you review the Act and update policies and procedures to reflect the changes.
_______________________________________________________________________________
GRANT MONITORING
On July 16, 2014, the Grant Accountability and Transparency Act (GATA) became law. GATA, which was the product of the work of the Illinois Single Audit Commission, was intended to comply with the General Assembly’s directive to: (1) develop a coordinated, non-redundant process for the effective and efficient oversight of grant recipients; and, (2) define the purpose, scope, applicability, and responsibilities in the life cycle of a grant. GATA was the first state legislation of its kind to require the adoption and implementation of a set of comprehensive standards that mandate accountability and transparency throughout the life cycle of a grant.
Grant funds have accounted for approximately two-thirds of the State’s annual operating budget. A unit within the Governor’s Office of Management and Budget (GOMB) is tasked with implementing GATA. In late December 2015, a standardized grant agreement document was developed. That document addresses many of the issues reported by the Auditor General. These issues include: purchase and disposition of equipment; budget revisions; fiscal reporting; and, information on other State agency contracts the grantee holds.
Internal controls are only effective if the controls are enforced by management. The Statewide Single Audit reports multiple grant-related findings on federal funds on an annual basis. A recent performance audit of three State grant programs, totaling over $39 million, administered by a State agency found that the agency had many monitoring controls in place for the programs. However, the agency did not enforce those controls. Control breakdowns included:
• circumventing its normal grantee approval process for grantee selection;
• failure to enforce fiscal and program reporting requirements on grantees;
• failure to conduct timely site visits to grantees;
• failure to ensure required background checks were conducted; and,
• failure to execute a budget for the second year of the grant.
An additional finding in the performance audit dealt with how grantees charge the wages paid to its staff. We found instances where the grantee reported wage figures in the grant agreement for individuals that were higher than what the grantee reported to the Attorney General in the annual report filings. The result may be the State grant being charged more than what was paid to the staff member. This situation was compounded by the State agency not requiring the identification (names) of all staff charged to the grant. Absent this identification information, the oversight agency cannot confirm the staffing expertise promised is what the State received.
Grant monitoring and oversight will continue to be an emphasis of audit testing by the Auditor General.
_______________________________________________________________________________
RESPONSIBILITIES OF AGENCY MANAGEMENT
The Government Auditing Standards established by the U.S. Government Accountability Office (GAO), sets forth the responsibilities of agencies. These GAO standards are followed by the Office of the Auditor General when conducting audits of State agencies.
The standards state that agency officials are entrusted with public resources and are responsible for carrying out functions effectively, efficiently, economically, ethically, and equitably. Agencies are responsible for having reliable, useful, and timely information.
Agencies should be reporting the results of programs to those who oversee the program. Agencies should be complying with laws and regulations, including identifying applicable requirements and implementing systems to achieve compliance.
Internal controls are reflected in the policies, procedures, directives, decisions, reviews, and reports. Agencies are responsible for establishing effective internal controls to ensure goals are met and resources are used appropriately.
Internal controls serve as a defense in safeguarding assets and preventing and detecting errors, fraud, and violations of laws, regulations, and provisions of contracts and grants. Internal control includes:
• assessing the plan of the organization;
• methods and procedures adopted to meet its mission, goals and objectives;
• the processes for planning, organizing, directing, and controlling; and
• the system for measuring, reporting, and monitoring program performance.
Management has fundamental responsibilities for carrying out government functions and is responsible for:
• using its resources to achieve the purposes for which the resources were furnished;
• complying with applicable laws and regulations;
• implementing systems designed to achieve compliance;
• having effective internal control to ensure that appropriate goals and objectives are met;
• following sound procurement practices when contracting for audits, including monitoring contract performance; and
• taking timely and appropriate steps to remedy fraud, noncompliance, or abuse that auditors report.
_________________________________________________________________________________________
STANDARDS FOR INTERNAL CONTROL
In
2014, the Government Accountability Office (GAO) issued standards for internal
control which may be adopted by states and local governments. These standards
contain good business practices:
1. Establish a mission statement, goals, objectives, and strategic plan. Entity management needs to determine its mission, set a strategic plan, establish objectives, and formulate plans to achieve its objectives.
2. Establish specific and measurable objectives. Management shall define its objectives to be specific and measurable. Specific terms should be easily understood. Measurable terms allow for the assessment of performance toward its objectives.
3. Define the individuals responsible for achieving objectives, including the time frame for achieving objectives. Management shall define objectives in specific terms so they are understood at all levels of the entity. This involves clearly defining what is to be achieved, who is to achieve it, how it will be achieved, and the time frames for achievement.
4. Document policies and procedures. Each unit, with guidance from management, shall determine the policies necessary to operate, and document the policies to allow effectively monitoring the control activity. Those in key roles for the unit may further define policies through day-to-day procedures.
5. Identify information requirements needed to achieve agency/program objectives. Management shall design a process to identify the information requirements that are needed to achieve the objectives and address the risks.
6. Establish and document the internal control system. Internal control helps managers achieve desired results through effective stewardship of public resources.
a. Management should develop and maintain documentation of its internal control system.
b. Documentation provides a means to retain organizational knowledge and mitigate the risk that the knowledge is limited to a few personnel.
7. Evaluate internal controls and correct any deficiencies on a timely basis. Management will evaluate and document the results of ongoing monitoring to identify internal control issues.
8. Track major achievements and compare them to goals and objectives. Management will track major entity achievements and compare them to the plans, goals, and objectives it has established.
9. Assess the knowledge, skills, and ability of the workforce. Management will continually assess the knowledge, skills, and ability needs of the entity so that the entity has a workforce that has the required knowledge, skills, and abilities to achieve goals.
10. Evaluate the entity’s communication methods. Management will internally communicate the necessary information to achieve the entity’s objectives.
_________________________________________________________________________________________
WHAT IS THE GOVERNMENTAL ACCOUNTING STANDARDS BOARD?
www.accountingfoundation.org & www.gasb.org
The Financial Accounting Foundation (FAF) is a not-for-profit organization which provides oversight and administration of the Financial Accounting Standards Board (FASB) and the Governmental Accounting Standards Board (GASB). The FAF was established in 1972.
FAF is comprised of a Board of Trustees and a management team, along with two standard-setting Boards (FASB and GASB).
“The FASB and GASB establish and improve financial accounting and reporting standards – known as Generally Accepted Accounting Principles, or GAAP – for public and private companies, not-for-profit organizations, and state and local governments in the United States. Both organizations set high-quality standards through a process that is robust, comprehensive, and inclusive.”
FASB is responsible for standards for companies and not-for-profit organizations while GASB is responsible for standards for state and local governments.
The goal of GASB, FASB, and FAF is to establish and improve accounting and reporting standards to provide information to users and to educate stakeholders on how to understand those standards.
More than a decade after the FAF was created, the GASB was established. GASB provides “. . . accounting and financial reporting standards for U.S. state and local governments that follow Generally Accepted Accounting Principles (GAAP). These standards are recognized as authoritative by state and local governments, state Boards of Accountancy, and the American Institute of CPAs (AICPA). The GASB develops and issues accounting standards through a transparent and inclusive process intended to promote financial reporting that provides useful information to taxpayers, public officials, investors, and others who use financial reports.”
_________________________________________________________________________________________
###
Contact Information:
Office of the Auditor General
Iles Park Plaza, 740 East Ash Street
Springfield, Illinois 62703-3154
Michael A. Bilandic Building,
160 N. LaSalle Street, Suite S-900
Chicago, Illinois 60601-3109
Phone: 217-782-6046
Fax: 217-785-8222
TTY: 1-888-261-2887
Fraud Hotline: 1-855-217-1895
E-mail: oag.auditor@illinois.gov
Website: www.auditor.illinois.gov