REPORT DIGEST

DEPARTMENT OF EMPLOYMENT SECURITY

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2019

Release Date:  July 7, 2020

FINDINGS THIS AUDIT:  15

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  2 -- 1 -- 3
Category 2:  5 -- 7 -- 12
Category 3:  0 -- 0 -- 0
TOTAL:  7 -- 8 -- 15

FINDINGS LAST AUDIT: 11

Category 1: Findings that are material
weaknesses in internal control and/or a
qualification on compliance with State
laws and regulations (material
noncompliance).
Category 2: Findings that are significant
deficiencies in internal control and
noncompliance with State laws and
regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, Iles Park
Plaza, 740 E. Ash Street, Springfield, IL
62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION
This digest covers our compliance
examination of the Department of
Employment Security (Department) for the
two years ended June 30, 2019.  A
separate financial audit as of and for
the year ended June 30, 2019 was
previously released on March 3, 2020.  In
total, this report contains 15 findings,
5 of which were also reported in the
financial audit.

SYNOPSIS

• (19-06) The Department did not have
adequate controls over the completion and
submission of reconciliations relating to
expenses, revenues, cash, and locally
held funds.
• (19-09) The Department did not have
adequate controls over its property and
equipment and related records.
• (19-11) The Department did not
implement adequate internal controls
related to cybersecurity programs and
practices.
• (19-12) The Department lacks security
at the Metro South Regional office
facility.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INADEQUATE CONTROLS OVER MONTHLY
RECONCILIATIONS

The Department did not have adequate
controls over the completion and
submission of reconciliations relating to
expenses, revenues, cash, and locally
held funds.

During our testing of 48 monthly
expenditure reconciliation reports, we
noted the following:

• Sixteen (33%) monthly reconciliations
were not prepared for Fiscal Year 2018.
• Six (13%) monthly reconciliations were
not completed timely, three for Fiscal
Year 2018 and three for Fiscal Year 2019.

During our testing of 48 monthly revenue
reconciliation reports, we noted the
following:

• Sixteen (33%) monthly reconciliations
were not prepared for Fiscal Year 2018.
• Two (4%) monthly reconciliations were
not completed timely for Fiscal Year
2019.

During our testing of 48 monthly cash
reconciliation reports, we noted the
following:

• Twenty-seven (56%) monthly
reconciliations were not prepared timely.
• Nine (19%) monthly reconciliations were
prepared prior to the completion of the
associated monthly revenue
reconciliation.

During our testing of 48 locally held
fund reconciliations, we noted four (8%)
monthly reconciliations were not prepared
timely. (Finding 6, pages 17-18)

We recommended the Department
consistently complete required monthly
reconciliations relating to expenses,
revenues, cash, and locally held funds in
a timely manner.

Department management accepted the
finding.

INADEQUATE CONTROLS OVER PROPERTY AND
EQUIPMENT RECORDS

The Department did not have adequate
controls over its property and equipment
and related records.

A few of the issues we noted follows:

During our testing of 60 assets selected
from the Department’s inventory records,
we noted the following:

• Twenty-one (35%) items were on the
inventory listing, but were not found on
site.
• Two (3%) items were found on site, but
no ID tag was found on the equipment.

During our testing of 60 assets found
throughout the Department’s offices, we
noted the following:

• Fifty-two (87%) items were found on
site with a valid ID tag, but could not
be found on the inventory listing.
• Two (3%) items were confirmed to be
transferable property but had not been
transferred as of the date of testing.

During our testing of 7 surplus items
held at the Department, we noted 4 (57%)
items were found on site with a valid ID
tag, but could not be found on the
inventory listing.  (Finding 9, pages
22-24) This finding was first reported in
2015.

We recommended the Department adhere to
the requirements of the Illinois
Procurement Code, the State Property
Control Act, the Illinois Administrative
Code, the Fiscal Control and Internal
Auditing Act, and the Department’s
Procedures Manual and determine the
Department has sufficient trained
personnel to maintain property records
and accurately report information to
DCMS.  We also recommended the Department
review procedures for maintaining
surplus/unused items in order to minimize
the amount of idle property and
equipment.

Department management accepted the
finding.

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Department did not implement adequate
internal controls related to
cybersecurity programs and practices.

As a result of the Department’s mission
to administer the State’s unemployment
claims, it maintains computer systems
that contain large volumes of
confidential or personal information such
as names, addresses, Social Security
numbers, and federal and State tax
information of the citizens of the State.

During our examination of the
Department’s cybersecurity program,
practices, and control of confidential
information, we noted the Department did
not:

• Classify its data to identify and
ensure adequate protection of information
(i.e. confidential or personal
information) most susceptible to attack.

• Require employees and contractors to
review and acknowledge receipt of the
Department’s security policies.

In addition, we requested the Department
provide a population of employees who
were to have completed the annual
cybersecurity training.  In response to
our request, the Department provided the
population; however, the Department did
not provide documentation demonstrating
the population was sufficiently precise
and detailed under the Professional
Standards promulgated by the American
Institute of Certified Public Accountants
(AU-C § 330, AU-C § 530).  Even given the
population limitations noted, we
performed testing to determine if
employees had completed the annual
cybersecurity training as required by the
Data Security on State Computers Act.

Our testing noted 4 of 39 (10%) employees
sampled had not completed the annual
cybersecurity training.  Furthermore, the
Department did not require 4 of 4 (100%)
new employees sampled to complete the
annual cybersecurity training upon
employment.

Furthermore, an individual on 75-day
appointment worked remotely on payroll
matters which required them to receive
confidential information.  However, the
individual was utilizing their personal
computer and the Department was not aware
of the security control implemented on
the computer.  Additionally, there are no
policies or procedures in place at the
Department to ensure the protection and
safe disposal of payroll information from
personal devices of employees working
remotely.  (Finding 11, pages 26-27)

The Department has the ultimate
responsibility for ensuring confidential
information is protected from accidental
or unauthorized disclosure.
Specifically, we recommended the
Department:

• Classify data to ensure adequate
protection of confidential or personal
information most susceptible to attack.

• Ensure all employees and contractors
review and acknowledge receipt of the
Department’s security policies.

• Ensure all staff members annually
complete cybersecurity training as
outlined in the Data Security on State
Computers Act.  Additionally, the
Department should maintain documentation
regarding the completeness and accuracy
of the population related to
cybersecurity training.

• Ensure adequate security controls are
implemented on all equipment utilized by
employees, appointments and contractors.

Department management accepted the
finding.

INADEQUATE SECURITY AT LOCAL OFFICE

The Department lacks security at the
Metro South Regional office facility.

During a tour of the Metro South Regional
office facility, we noted that various
areas of the facility are secured by
keypad access.  However, there is only
one access code that grants access
throughout the facility, including the
employee side entrance.  Per inquiry, the
code has been provided to all employees
and cleaning staff, and has no time
restrictions.  As there is no security
system or cameras in place, there is a
risk that employees, former employees,
and cleaning staff can enter the building
after hours and gain access to sensitive
information.  (Finding 12, page 28)

We recommended the Department implement
enhanced security measures to access and
monitor the Metro South Regional office
facility.

Department management accepted the
finding.

OTHER FINDINGS

The remaining findings pertain to
inadequate controls over receivable
allowances, penalty and interest
receivables, write offs, GenTax access,
and telecommunications devices,
inaccurate refunds payable, performance
evaluations not completed timely,
inadequate review of access rights for
terminated employees, weaknesses in
cybersecurity programs and practices, and
noncompliance with the Unemployment
Insurance Act, the Election Code and the
Public Employment Office Act.  We will
review the Department’s progress towards
the implementation of our recommendations
in our next engagement.

AUDITOR’S OPINION

The financial audit report was previously
released.  The auditors stated the
financial statements of the Unemployment
Compensation Trust Fund of the Department
as of and for the year ended June 30,
2019 are fairly stated in all material
respects.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Department for the two
years ended June 30, 2019, as required by
the Illinois State Auditing Act.  The
accountants qualified their report on
State compliance for Findings 2019-001,
2019-002, and 2019-003.  Except for the
noncompliance described in these
findings, the accountants stated the
Department complied, in all material
respects, with the requirements described
in the report.

The financial audit and this compliance
examination were conducted by RSM US LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:dmg