M E M O R A N D U M

TO: Potential Financial Statement Users and
Interested Parties

FROM: Sara Metzger, CPA
Assistant Director of Financial and
Compliance Audits

DATE: March 21, 2025

SUBJECT: Notice regarding Fiscal Year 2023
Financial Statements of the Department of
Healthcare and Family Services


Following the completion of the Department
of Healthcare and Family Services’
(Department) Fiscal Year 2023 Financial
Statement audit, the Department identified
an issue with a potentially material impact
to the financial statements and brought this
issue to the auditors’ attention.  The
auditors have evaluated this subsequently
discovered fact in accordance with AU-C 560.
Due to the restricted use paragraph and the
knowledge that the intended users of the
audit are aware of the issue, the auditors
agreed with management that the Department’s
Fiscal Year 2023 Financial Statements do not
need to be revised.  However, because of the
public release requirements of the Auditor
General’s office, there is potential for
unintended users to exist.  As a result, we
make the following notice:

The subsequently discovered fact likely
affects the following accounts in the
Governmental Activities and General Fund
opinion units:
1. Other Receivables
2. Accounts Payable
3. Unrestricted Net Position/Committed and
Unassigned Fund Balance
4. Expenses (Health and social services)/
Expenditures (Health and social services)
5. Beginning Net Position/Beginning Fund
Balance

At this time, the full impact of the
subsequently discovered fact is unknown.
Accordingly, the Department’s Fiscal Year
2023 Financial Statements should no longer
be relied upon.

More information about this matter will be
forthcoming upon the completion and release
of the State of Illinois’ Annual
Comprehensive Financial Report for Fiscal
Year 2023 and the Department’s Fiscal Year
2024 Financial Statements, which will be
released at a later date.  Please be
advised, all information related to current
work of the Office of the Auditor General is
held confidential until conclusion of the
audit. See 74 Ill. Adm. Code 420.630(b).

___________________________________________
___________________________________________


REPORT DIGEST

DEPARTMENT OF HEALTHCARE AND FAMILY SERVICES

FINANCIAL AUDIT
FOR THE YEAR ENDED JUNE 30, 2023

Release Date:  December 19, 2024

FINDINGS THIS AUDIT: 7

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  1 -- 5 -- 6
Category 2:  1 -- 0 -- 1
Category 3:  0 -- 0 -- 0
TOTAL:  2 -- 5 -- 7

FINDINGS LAST AUDIT: 9

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

The digest covers The Department’s Financial
Audit as of and for the year ended June 30,
2023. A digest covering the Department’s
State Compliance Examination for the two
years ended June 30, 2023, was separately
released.

SYNOPSIS

• (23-01) The Departments (HFS and DHS) had
weaknesses in the general information
technology (IT) controls over the Integrated
Eligibility System (IES).

• (23-06) The Department’s year-end
financial reporting in accordance with
generally accepted accounting principles
(GAAP) contained weaknesses and
inaccuracies.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE GENERAL INFORMATION TECHNOLOGY
(IT) CONTROLS OVER IES

The Department of Healthcare and Family
Services (HFS) and the Department of Human
Services (collectively, the “Departments”)
had weaknesses in the general information
technology (IT) controls over the Integrated
Eligibility System (IES).

Management of the Departments have a shared
responsibility for various human service
programs in the State and for internal
controls over the manual and automated
processes relating to eligibility for these
programs. The Departments IES is the
automated system used by the Departments to
intake, process (with the assistance of
caseworkers), and approve assistance
applications, maintenance items, Mid-Point
Reports, and redeterminations of eligibility
as well as to make payments for the State’s
human service programs.

In addition to the conditions noted below,
related IES issues over disaster recovery
controls are noted in Finding Code No.
2023-002.

Environment
The IES application and data reside on the
Department of Innovation and Technology
(DoIT) environment. In this regard, DoIT is
a service provider to the Departments.

During the Departments’ internal security
review, completed as part of its Plan of
Actions and Milestones (2023) report to the
U.S. Department of Health and Human
Services, Centers fo Medicare and Medicaid
Services (CMS), significant threats over
DoIT’s general IT environment, which hosts
IES, were identified.

Further, during our fieldwork it was noted
the Departments experienced three security
breaches related to the IES system; the
first breach occurred in August 2022, the
second breach was discovered in March 2023,
and the third breach occurred in August
2023.

Change Control
IES Application Changes – Policies and
Procedures
Based on our review of sampled
infrastructure changes, we noted backout
plans to return the system to a previous
functional version in the event a change
moved into production caused undesired
results had not been prepared for individual
infrastructure changes for 5 out of 5 (100%)
changes reviewed. (Finding 1, pages 56-57)
This finding has been reported since 2017.


We recommended management of both
Departments work together to strengthen
controls over the IES environment by
addressing all significant threats
identified in the Plan of Actions and
Milestones (2023) report to the U.S.
Department of Health and Human Services,
Centers for Medicare and Medicaid Services.
We also recommended management of both
Departments ensure backout plans are
developed and documented for infrastructure
changes.

HFS accepted the recommendation. HFS stated
that the IES application and data reside on
the DoIT infrastructure and as the service
provider, they are responsible for ensuring
a secure environment, significant threats
are identified and backout plans are
developed. HFS stated it will work with DoIT
to implement the IES technology refresh
projects as planned in FY25 to resolve
security weaknesses and close out aged Plan
of Action and Milestone findings. HFS will
also require DoIT to provide documented
backout plans with all IES infrastructure
changes.

FINANCIAL STATEMENT PREPARATION WEAKNESSES

The Department of Healthcare and Family
Services’ (Department) year-end financial
reporting in accordance with generally
accepted accounting principles (GAAP)
contained inaccuracies and omitted amounts
affecting balances.

During our audit of the Departments’
financial statements, we brought errors to
the Departments’ attention. The table below
summarizes the impact on the financial
statements. Some of the errors were
individually inconsequential to the overall
fairness of the presentation of the
Department’s financial statements. The
Department subsequently corrected these
errors.

Financial Statement Line Description --
Overstated (Understated) (expressed in
thousands)
Asset -- (32,378)
  Due from Other Government – Federal --
  105,148
  Allowance for Uncollectible, Other
  Receivables  -- (68,534)
  Inventories -- (458)
  Due from other Department Funds --
  (68,534)
Expenditure -- 53,478
  Health and Social Services	-- 53,478
Liability -- 21,768
  Accounts payable & accrued liabilities --
  30,215
  Due to Other Government – Federal --
  (45,061)
  Due to Other Department Funds -- (68,534)
  Unavailable Revenue – Federal Operating
  Grants -- 105,148
Revenue -- (668)
  Medical Providers Assessment Taxes --
  (668)

In addition to the financial statement
errors noted above, we brought the following
footnote errors to the Departments’
attention.

• Footnote 3(a), Deposits: Cash on deposit
for locally held funds of fiduciary
activities reported a carrying amount of
$1.61 million and should have been $1.88
million.

• Footnote 12, Postemployment Benefits: The
Deferred Outflows of Resources table
originally disclosed incorrect balances for
the Department contributions subsequent to
the measurement date line. The balance
should have been $14 thousand and was
initially reported as $92 thousand. As a
result, the total deferred outflows of
resources was incorrectly reported as $183
thousand and should have been $106 thousand.
The Department subsequently corrected these
errors.

Further, the Department lacked effective
communication between its program and fiscal
areas and external sources, resulting in the
untimely identification of information
pertinent to the financial statements. The
financial reporting staff continued to
receive updates from program areas and third
parties after the initial financial
statements were prepared, resulting in
further modifications. Consequently, the
preparation of the final financial
statements was delayed. The errors and
revisions noted below were identified after
the initial financial statements were
prepared by the Department, resulting in
multiple versions of the financial
statements. The final revision was provided
on April 2, 2024, and the Department
confirmed this was the final revision on
April 18, 2024. The table below summaries
the adjustments required for the Department
to present, fairly, in all material
respects, the financial position of the
Department. Additional adjustments were made
by the Department based on further analysis
performed. These adjustments were
individually inconsequential to the overall
fairness of the presentation of the
Department’s financial statements and
therefore were not included in the summary
below.  (Finding 6, pages 67-69)

Financial Statement Line Description --
Overstated (Understated) (expressed in
thousands)
Asset -- (180,777)
   Due from Other Government – Federal --
   (180,777)
Expenditure -- (163,559)
   Health and Social Services -- (163,559)
Liability -- (344,336)
   Due to Other Government – Local --
   (163,559)
   Unavailable Revenue – Federal  Operating
   Grants -- (180,777)

We recommended the Department evaluate its
methodologies in determining estimates for
information not readily available at the
time the financial statements are prepared
and strengthen its internal controls to
ensure its financial reporting is timely
completed and in accordance with GAAP.

The Department accepted the recommendation
and stated that it will work with the
program staff area and with external
partners to review current processes and
investigate potential improved methodologies
for determining estimates. The Department
also stated that it will strengthen its
processes for review and approval of
financial reporting documents.

OTHER FINDINGS

The remaining findings pertain to inadequate
disaster recovery controls over the IES,
inadequate controls over eligibility
determination and redeterminations,
inadequate general information technology
controls over IMPACT, insufficient review
and documentation of provider enrollment
determinations, and failure to properly
identify capital assets in accordance with
reporting standards.  We will review the
Department’s progress towards the
implementation of our recommendations in our
next financial audit.

AUDITOR’S OPINION

The auditors stated the financial statements
of the Department of Healthcare and Family
Services as of and for the year ended June
30, 2023 are fairly stated in all material
respects.

This financial audit was performed by Sikich
CPA LLC.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:km