The past year has been challenging for the people of Illinois. Thankfully, we are beginning to resume normal operations. As our State agencies return to work and resume day-to-day responsibilities, I want to thank the employees, managers, and State leaders for their diligence as we work our way through the pandemic.

This issue of the Audit Advisory discusses Independence requirements for report preparation and census data as it relates to pension and other post-employment benefits (OPEB).

Increases in technology have created opportunities for efficiencies in auditing and reporting but have also exposed risk, vulnerabilities, and challenges. State agencies must strengthen their internal controls in order to combat and defend against the increasing threat of cyber-criminal operations. This issue will discuss cyber security reviews which are being conducted as a direct result of legislation passed by Representative Jamie Andrade and Senator Laura Ellman.

The enterprise resource planning system (ERP) is now online for financial reporting. Even before COVID-19 paralyzed our agencies, we experienced inordinate delays in agency management’s preparation of financial statements and related note disclosures. These delays adversely impacted the timeliness and accuracy of State reporting. Moving towards a single state-wide reporting system should improve the timeliness of financial reporting. As we move to more normal operations, we should remember the success of our government relies on the fundamental principles of accountability, transparency, and diligence. 

Due to changes in independence requirements, effective June 30, 2020, the Office of the Auditor General (OAG) requires auditees, without auditor assistance, to prepare the report components comprising the Supplementary Information for State Compliance Purposes usually found within the OAG’s compliance reports. To help facilitate this change, the OAG published guidance on its website for auditees to follow in preparing these report components (see link below). It is important for all auditees to review this document in its entirety and prepare the various report components in accordance with this guidance. Failure to materially prepare report components in a timely manner in accordance with this guidance may result in findings.

While we do not express an opinion, a conclusion, or provide any assurance on these report components, we read them to identify potential errors based on our knowledge of the auditee and, where possible, compare or reconcile the information to the auditee’s records examined during the compliance examination. If we identify any potential errors, we will bring the matter to the attention of the auditee’s management to ideally either correct the error or demonstrate why the disclosure is complete and accurate.

Recent audits have found that some auditees have inadequate internal controls to both:

(1) prepare the report components, and

(2) demonstrate the report components prepared by agency management were complete and accurate.

Compliance examinations stress the fundamentals of governmental accountability, including providing transparency about the auditees’ fiscal and administrative controls and whether the auditees’ resource utilization was efficient, effective, and in compliance with applicable law. Failure to prepare accurate and complete report components hinders the ability of users of compliance examination reports to obtain additional analysis of the auditees’ operations.

OAG Guidance on Report Component Preparation

http://auditor.illinois.gov/Other-Public-Documents/Report-Component-Templates.asp

Public Act 100-0914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of January 1, 2019.

As outlined in the 2020 Audit Advisory, we incorporated a review of Cybersecurity into the standard compliance examination program and also performed detailed testing at approximately 20 agencies in both the June 30, 2019 and 2020 examinations. We used the following general criteria in our examinations to determine if agencies had:

1. Established and documented cybersecurity roles and responsibilities.

2. Established and communicated policies, procedures, and processes to manage and monitor the regulatory, legal, environmental, and operational requirements.

3. Performed a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.

4. Classified data to establish the types of information most susceptible to attack to ensure adequate protection.

5. Ensured all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.

6. Evaluated and implemented appropriate controls to reduce the risk of attack.

We identified significant weaknesses at 29 agencies (from reports released through July 14, 2021) and the table below summarizes our findings. (Please see PDF version of this Advisory to view the exhibit.) To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they ensure that the six areas identified above are adequately addressed. We will continue to emphasize the review of cybersecurity programs and practices in future compliance examinations.

Several recent audits have found significant issues related to a lack of census data reconciliation. Census data is demographic data (such as date of birth, gender, and years of service) of the active, inactive, or retired members of a pension plan or OPEB (other postemployment benefits) plan. The plans are responsible for inactive and retired members. However, employers (State agencies, universities, etc.) are responsible for submitting accurate census data information on active employees to the plans.

Recent audits have found that agencies have not performed an initial complete reconciliation of its census data to establish a base year of complete and accurate census data. Agencies have also not developed a process to annually obtain incremental changes from the retirement plans and the Illinois Department of Central Management Services (CMS) to reconcile those changes back to internal supporting records.

Actuaries depend on employer-provided census data reported to the plans being complete and accurate. Failure to reconcile active members’ census data could result in each plan’s actuary relying on incomplete or inaccurate census data. This could lead to misstatements of the agencies’ pension and OPEB amounts.

For agencies with financial statements audits, we are in the process of changing how we approach census data testing. We have engaged with our Special Assistant Auditors assigned to the plan audits to perform the employer-level census data testing simultaneously with the plan-level census data testing they were already performing. This change will result in a new examination opinion (AT-C § 205 report) being issued for agencies. The auditors of the relevant plan will issue the AT-C § 205 report on the accuracy and completeness of an agency’s census data each year and then this opinion will be used as evidence by the financial statement auditors assigned to the audit in forming their opinion on the financial statements.

All agencies will be asked by the plans to perform a baseline reconciliation. The State Retirement System has begun issuing guidance on how the initial reconciliation will be performed for agencies in their plans (SERS, GARS, & JRS). Because of the relationship between pension and OPEB census data, the pension plan reconciliations will be sufficient to cover the reconciliation for both pension and OPEB. We expect the State Universities Retirement System to issue guidance on the initial reconciliation to be performed for the universities.

[State and University Employees are members of one of the State retirement systems for their pensions and a group insurance program sponsored by CMS for their OPEB.]

[Recent Finding Example: The agency did not have a reconciliation process to provide assurance census data submitted to its pension and OPEB plans was complete and accurate.]