State of Illinois
Office of the Auditor General
2023 Annual Report
March 1, 2024
The Honorable Members of the General Assembly
The Legislative Audit Commission
The Honorable JB Pritzker, Governor
Citizens of Illinois
Ladies and Gentlemen:
Enclosed is the Annual Report of the Auditor General’s Office, submitted in compliance with Section 3-15 of the Illinois State Auditing Act.
The mission of the Auditor General’s Office has been, and will continue to be, to present objective, balanced and independent audits. I believe this Annual Report reflects the Office’s success in fulfilling that goal during calendar year 2023.
I would like to thank the members of the General Assembly, members and staff of the Legislative Audit Commission, and the staff of the Auditor General’s Office, through whose efforts the reported accomplishments were made possible.
Yours truly,
FRANK J. MAUTINO
Auditor General
Overview
Frank J. Mautino became Auditor General
of the State of Illinois on January 1, 2016. Prior to his appointment as Auditor General, Mr. Mautino was a member of the Illinois House of Representatives, and served as a co-chairman of the Legislative Audit Commission.
As a constitutional officer, the Auditor General audits public funds of the State and reports findings and recommendations to the General Assembly and to the Governor. The establishment of the Auditor General under the Legislature is important. It ensures that the Legislature, which grants funds and sets program goals, will ultimately review program expenditures and results. Thus, agencies are accountable to the people through their elected representatives.
The Auditor General’s Office performs several types of audits to review State agencies. Financial audits and Compliance examinations are mandated by law. They disclose the obligation, expenditure, receipt, and use of public funds. They also provide agencies with specific recommendations to help ensure compliance with State and federal statutes, rules and regulations.
Performance audits are conducted at the request of legislators to assist them in overseeing government. Programs, functions, and activities are reviewed according to the direction of the audit resolution or law directing the audit. The General Assembly may then use the audit recommendations to develop legislation for the improvement of government.
Information Systems audits are performed on the State’s computer networks. They determine whether appropriate controls and recovery procedures exist to manage and protect the State’s financial and confidential information.
Copies of all audits are made available to members of the Legislature, the Governor, the media, and the public. Findings include areas such as accounts receivable, computer security, contracts, expenditure control, leases, misappropriation of funds, personnel and payroll, property control, purchasing, reimbursements, telecommunications, and travel.
Audit reports are reviewed by the Legislative Audit Commission in a public hearing attended by agency officials. Testimony is taken from the agency regarding the audit findings and the plans the agency has for corrective action. In some cases, the Commission may decide to sponsor legislation to correct troublesome fiscal problems brought to light by an audit. All outstanding recommendations are reviewed during the next regularly scheduled audit of an agency or, if the Commission requests, a special interim audit may be conducted.
Public Information
An audit and its supporting workpapers, unless confidential by, or pursuant to, law or regulation, are public documents once the report has been officially released to the Legislature, the public, and the press. These documents are available for review in our Springfield and Chicago offices.
The following information is also available by request:
• Late Filing Affidavits
• Emergency Purchase Affidavits
Information about the Auditor General is availab
le on the Internet. This information includes report summaries and full report texts.
Our internet web site address is: www.auditor.Illinois.gov
Our e-mail address is: audgen@auditor.illinois.gov
Public information is available by writing:
FOIA Officer
Office of the Auditor General
400 West Monroe
Suite 306
Springfield, IL 62704-9849
Springfield:
Telephone: (217) 782-6046
Fax: (217) 785-8222
Chicago:
Telephone: (312) 814-4000
Fax: (312) 814-4006
TTY: (888) 261-2887
Our Fraud Hotline is: Toll-Free: (855) 217-1895
Visit our web site at www.auditor.Illinois.gov for full details or for an on-line reporting form.
Organizational Chart
As of December 31, 2023, there were 74 employees. Sixty-nine were located in the Springfield Office and five in the Chicago Office.
The Compliance Examination Program
The Auditor General is required by the Illinois State Auditing Act to conduct, as is appropriate to the agency’s operations, a financial audit and/or compliance examination of every State agency at least once every two years. These audits and examinations inform the public, the Legislature, and State officers about the obligation, expenditure, receipt, and use of public funds, and provide State agencies with recommendations to help ensure compliance with State and federal statutes, rules, and regulations.
The Financial and Compliance Audit Division of the Office of the Auditor General (Office) conducted engagements at 71 agencies during the FY 2022 audit cycle. These engagements encompassed compliance examinations, financial audits, and federal single audits. Staff auditors conducted 13 of these audits. The remainder were performed by public accounting firms under the general direction and management of the Auditor General’s audit managers.
The Illinois Constitution of 1970 revised and expanded the traditional financial audits conducted of State agencies to focus on compliance with legislative intent and proper performance of governmental operations, as well as financial accountability.
The compliance program has a positive impact on the operations of State government because agencies implement many of the recommendations made in these reports. Compliance reports are also reviewed by the Legislative Audit Commission, where legislators question agency directors about audit findings and the corrective action they plan to take. Legislators and their staffs also use compliance reports during appropriation hearings in the spring legislative session. To maximize the usefulness of audit information, the Office attempts to deliver audits as early as possible in the legislative session.
Accountability
A number of reports issued since our last report had findings that were critically important from an accountability standpoint. A brief summary of some of these findings follows:
INADEQUATE FINANCIAL REPORTING PROCESS
The State of Illinois’ (State) current financial reporting process does not allow the State to prepare a complete and accurate Annual Comprehensive Financial Report (ACFR) in a timely manner. Reporting issues at various individual agencies caused delays in finalizing the financial statements. The lack of timely financial reporting limits effective oversight of State finances.
Accurate and timely financial reporting problems continue to exist even though the auditors have
(1) continuously reported numerous findings on the internal controls (material weaknesses and significant deficiencies), (2) commented on the inadequacy of the financial reporting process of the State, and (3) regularly proposed adjustments to the financial statements year after year. These findings have been directed primarily towards major State agencies under the organizational structure of the Office of the Governor (Governor) and towards the Office of Comptroller (Comptroller).
The Comptroller has made significant changes to the system used to compile financial information; however, the State has not solved all the problems to effectively remediate these financial reporting weaknesses. The State has a highly decentralized financial reporting process due to the use of numerous financial reporting systems, many of which are not interrelated and require manual intervention to convert data. The process is also overly dependent on the post audit program, even though the Office of the Auditor General has repeatedly informed State agency officials that the post audit function is not a substitute for appropriate internal controls at State agencies.
Annual financial reporting to the Comptroller requires the State’s agencies to prepare a series of financial reporting forms (SCO forms) designed by the Comptroller, which are utilized to prepare the ACFR. Although these SCO forms are subject to review by the Comptroller’s financial reporting staff during the ACFR preparation process and there are recommended minimum qualifications for all new generally accepted accounting principles (GAAP) coordinators who oversee the preparation of the SCO forms, the current process still lacks sufficient internal controls at individual agencies.
We recommended the Governor and the Comptroller continue to work together to resolve the State’s inability to produce timely and accurate GAAP-basis financial information.
The Office of the Governor agreed with the recommendation, and stated they will continue to work with the Comptroller and individual state agencies that have the most pressing challenges to produce timelier and more accurate GAAP-basis financial information. The state agencies under the Governor are completing the multi-year implementation of an Enterprise Resource Planning (ERP) system—an integrated enterprise-wide system that includes a financial accounting component.
As of July 2022, all 73 state agencies under the Governor’s purview are using the financial accounting component of the ERP system. Further, the Governor anticipates that all state agencies subject to the Grant Accountability and Transparency Act will join, in Fiscal Year 2024, the Statewide grants management system, currently under development. The grants management system will pull data from the ERP system, promoting consistency across state systems. Upon full implementation, the two systems are expected to improve internal controls and will better support the agencies’ production of accurate and timely financial statements. The Governor notes that he has no authority to direct or control the financial reporting processes employed by other constitutional offices.
The Office of Comptroller accepted the recommendation and stated the State still faces several roadblocks in the timely completion of the ACFR. The General Assembly enacted Public Act 96-1501, which extended the lapse period to October 31 for fiscal year 2021 and future fiscal years for medical payments of the Department of Veterans’ Affairs, and medical, childcare, and substance abuse treatment payments of the Department of Human Services. Public Act 102-0291 extended lapse period from August 31 to October 31 for fiscal year 2022 and future fiscal years for medical assistance payments of the Department of Healthcare and Family Services. More importantly, the ACFR completion continues to be delayed because of financial reporting issues identified during individual State agency financial and compliance audits. The report cannot be finalized until these issues are resolved at the individual State agency reporting level.
In addition, the Comptroller will continue to work with the Governor’s Office, the Auditor General’s Office, and agency GAAP coordinators to improve the timeliness and quality of reporting, including alternative options for the completion of the financial reporting process of the State.
INADEQUATE INTERNAL CONTROLS OVER ACCOUNTING FOR FEDERAL AWARDS
The Department of Human Services (Department) does not have sufficient internal control over accounting for grant transactions resulting in material misstatements to the draft financial statements.
For financial reporting purposes, the Department (Fiscal Services) tracks grant data for purposes of accruing grant receivables, unearned revenue, unavailable revenue and payable balances, all of which impact Federal Operating Grant Revenue, using Office of Comptroller required SCO forms including SCO-563 Grant /Contract Analysis, SCO-567 Interfund Transfers – Grantee Agency, and SCO-568 Interfund Transactions – Grantor Agency.
In preparing the SCO Forms, the Department made errors in reporting expenditure amounts, including expenditure adjustments; and cash receipts, including lapse period receipts, for its federal award programs, resulting in errors in the financial statements for grant transactions. Additionally, based on audit procedures performed, the SCO Forms required multiple revisions through February 24, 2023. Some of the most significant errors are as follows:
• Included in the errors was an adjustment for $41.9 million in the General Revenue Fund (0001). In March 2023, the Department communicated to auditors that there were qualifying expenditures incurred for a new grant award (10% enhanced match federal award for certain expenditures for home and community-based services (HCBS)), that had not been recorded as expenditures, receivables or revenues in the SCO Forms or in the original draft financial statements. Included in a letter provided by CMS (Centers for Medicare & Medicaid Services) dated May 13, 2021, and addressed to State Medicaid Directors (which includes Healthcare and Family Services (HFS), was an award for additional funding which was based on an increased Federal rate applied to HCBS for a specified period of time. This award is required to be used for providing enhanced HCBS and is considered to be an expenditure-driven grant. Based on the award requirements communicated, the Department incurred $41.9 million in qualifying expenditures for enhanced HCBS during fiscal year 2022. As of March 31, 2023, this earned amount had not been provided to the Department by HFS. HFS considers the amount received from the Federal government through their right of offset with other Medicaid related over-draws.
Further, during the audit it was noted that General Revenue Fund expenditures for the Social Services Block Grant (SSBG) ALN 93.667 were overstated in fiscal year 2020 by $29.6 million, resulting in a balance remaining in Due from Other Governments – Federal and Unavailable Revenue. The balances for Due from Other Governments – Federal and Unavailable Revenue were written off in fiscal year 2022. The resulting adjustment in governmental activities was reported as a reduction to fiscal year 2022 Federal Operating Grant Revenue. As a result of the entry recorded, Federal Operating Grant Revenue in the General Fund was understated and opening net position was overstated in Governmental Activities.
• In the Community Developmental Disabilities Services Medicaid Trust Fund (0142), the Department recognized all cash deposited into the fund by HFS as revenue. However, receipts exceeded qualifying expenditures incurred which resulted in an overstatement of Federal Operating Grant Revenue, and an understatement of Unearned Revenue of $23.6 million.
• A transfer of COVID-19 related grant funding between two funds - State C.U.R.E. Fund (0324) and DHS State Projects Fund (0642) was not accounted for correctly resulting in a $20 million understatement of cash in the DHS State Projects Fund (0642), which was not detected and corrected during the Department’s bank reconciliation process. Interfund balances between the two funds were understated by the same amount due to the lack of qualifying expenditures in Fund 0642.
• Expenditures and receipts between three Childcare Program assistance listing numbers (ALNs) for the Employment and Training Fund (0347) were misstated which led to overstatements of Unearned Revenue ($257.8 million), Due from Other Governments - Federal ($189.3 million) and Unavailable Revenue ($181.0 million). Federal Operating Grant Revenue was understated by $249.5 million.
Further, two of the errors noted in the finding were brought to the attention of auditors’ months after the end of the fiscal year, and after four previous financial statement drafts had been provided. Specifically, as noted above in item 1, auditors were provided information in March 2023 about additional HCBS receivables which management should have been aware of since the start of the fiscal year when it was communicated by Federal CMS. Additionally, with regards to one of the uncorrected misstatements, the under reporting of DD program expenditures for Medicaid funded and waiver programs was not communicated to auditors until June 2023, despite management becoming aware of the issue in November 2022.
We recommended the Department strengthen its internal control over preparing the SCO Forms by including a reconciliation of Federal grant receipts and expenditures by ALN included in each SCO Form to the general ledger for each fund (the ERP System). Deposits of federal draws should be recorded in the fund(s) that incurred the associated expenditures. Once prepared, balances reported in the SCO forms should be compared to the draft financial statements, by fund, to conclude if amounts are reasonable. Additionally, large balances in Due from Other Governments – Federal, Unearned Revenue and Unavailable Revenue should be investigated as they are unusual for reimbursement type grant awards in which the Department can generally draw funds monthly upon the incurrence of qualifying expenditures.
Additionally, we recommended Department management promptly disclose known events, conditions, and transactions of the Department which could impact either an ongoing audit or previously released audit performed by the Office of the Auditor General, even if the full ramifications of the matter are not yet known.
The Department accepted the recommendation and stated it will include a reconciliation of federal grant receipts and expenditures to the general ledger in the ERP for all ALN’s included on each SCO563. Balances reported on the SCO563’s will also be compared to the corresponding funds in the draft financial statements. Any large balances on the SCO563 related to Due from the Federal Government, Unearned Revenue and Unavailable Revenue will also be researched and the underlying reasons noted. The Department will promptly disclose any known events, conditions or transactions that could affect current or previously issued audits performed by the Office of the Auditor General, in the event, that such concerns are identified.
INSUFFICIENT CONTROLS OVER ADMINISTRATION OF MEDICAID CLAIMS
The Department of Healthcare and Family Services (Department) did not have adequate internal controls to ensure all eligible expenditures initiated by other State agencies were included in its Medicaid federal financial participation (FFP) reimbursement claims.
On June 12, 2023, nearly one year from the June 30, 2022, financial statements date, Department management notified us that it did not include certain other agency waiver Medicaid expenditures, made by the Department of Human Services (DHS), in its quarterly FFP claims during the fiscal year ended June 30, 2022.
As part of its operational responsibilities, DHS administers Home and Community Based Services (HCBS) developmental disabilities (DD) waiver programs. Weekly, DHS sends the Department, via an automated file transfer, its DD expenditure information. After each automated file transfer of expenditure data occurs, an acceptance/rejection report is generated and automatically sent from the Department to DHS for them to review and notify the Department of any discrepancies. On a quarterly basis, the Department also generates a federal revenue summary report which is provided to DHS that reflects the funds it expended on programs for which Medicaid FFP is claimed. The summary report includes the total claimed for FFP related to DHS expenditures for the most recent quarter, as well as the preceding quarters of the fiscal year. DHS is expected to review the summary report and notify the Department of any discrepancies. The Department, as the lead agency for the State’s Medicaid program, submits quarterly FFP claims to the U.S. Department of Health and Human Services, Centers for Medicare & Medicaid Services (Federal CMS) for reimbursement according to the applicable Medicaid FFP percentage.
In January 2021, failures in the automatic transmission of expenditure data from DHS to the Department began occurring, resulting in the Department’s inability to claim FFP for DD waiver expenditures. The cause of the data transfer failure from January 2021 through June 2021 is not known. Additionally, in July 2021, DHS moved from its previously used software platform to the State of Illinois’ Enterprise Resource Planning (ERP) System. When the software platform change was implemented, a programming error occurred which prevented the automated file transfer from taking place. Because the Department did not receive the expenditure data, federal claiming on these DD expenditures did not occur during the audit period. The programing error continued until January 2023. Further, because the Department did not receive the expenditure information, the acceptance/rejection and federal revenue summary reports noted above did not include such expenditures and DHS staff did not subsequently identify they were missing. The automated file transfer issue impacted only federal claiming and had no effect on DHS’ payment to providers.
DD waiver expenditures described herein are paid from DHS’ appropriations and reported by DHS, while the revenue from the FFP reimbursements is deposited and reported by the Department in the General Revenue Fund (GRF). Such divergence in the reporting of DD waiver expenditures and resultant revenues inherently increases the risk that errors and omissions in claiming may occur.
As a result of the inadequate internal controls which led to the missing DHS expenditure data for which to claim FFP, DD expenditures were excluded from the Department’s Federal CMS quarterly claims for roughly a 24-month period (substantially all of calendar 2021 and 2022). For fiscal year 2022, we noted the Department did not submit approximately $1.1 billion in DD expenditures to Federal CMS on its quarterly claims report until the quarter ended March 30, 2023. The FFP portion of the $1.1 billion in DD expenditures equated to approximately $601 million in federal grant revenue to the State of Illinois which was delayed in being deposited into the State Treasury for up to 21 months. The amount of FFP claimed from expenditures paid after fiscal year 2022 up until the automated file transfer error was identified and resolved was outside the fiscal year 2022 audit period, and therefore, we did not request such information.
Further, because the Code of Federal Regulations (45 C.F.R § 95.7) states the Department can only claim FFP reimbursement within 2 years after the calendar quarter in which the qualifying expenditure has been paid, the Department was unable to claim FFP on approximately $80 million of DD expenditures paid by DHS during the quarter ended March 31, 2021, representing approximately $40 million of federal grant revenue being lost to the State if not granted an exception by the federal government.
We recommended the Department implement adequate internal controls over its administration of the Medicaid claims process in order to timely identify any missing expenditure data with which to claim FFP for eligible expenditures initiated by other State agencies. We also recommended the Department coordinate with DHS, and other State agencies where applicable, to prospectively explore affecting a budgeting change whereby the reimbursement revenue of individual programs are deposited and reported by the same agency and within the same fund to increase oversight thereof.
HFS accepted the recommendation and stated it will begin conversations with the Governor’s Office of Management and Budget and the Illinois Office of the Comptroller to explore options for allowing GRF federal revenue to be reflected in the financial statements of non-Healthcare and Family Services agencies responsible for the administration of Medicaid services. The Department also stated the Department and DHS will reinforce the use of current internal controls and pursue a corrective action plan. Further, regarding the timing of the Department’s auditor notification, the Department stated it will engage in conversations with the auditors concerning their expectations relative to when less than fully vetted issues should be brought to their attention.
FAILURE TO MAINTAIN ACCURATE AND COMPLETE PANDEMIC UNEMPLOYMENT CLAIMANT DATA
The Department of Employment Security (Department) failed to maintain accurate and complete Pandemic Unemployment Assistance (PUA) claimant data.
On March 27, 2020, the President of the United States signed the Coronavirus Aid, Relief, and Economic Security (CARES) Act which provided states the ability to provide unemployment insurance to individuals affected by the pandemic, including those who would not normally be eligible for unemployment. Based on the Department’s records, as of June 30, 2022, 11,213 claimants received payments totaling $3,026,210,633.
In order to determine if claimants were eligible for benefits, we requested claimant data. Although the claimant data was provided, the data required considerable manipulation in order to make the data auditable and organized. Therefore, we were unable to determine if the data was complete and accurate. As a result, we were unable to conduct detailed testing to determine whether the claimants were entitled to benefits.
We recommended the Department implement controls to ensure the claimants’ data is complete and accurate.
The Department accepted our recommendation.
FAILURE TO MAINTAIN PROPER SEGREGATION OF DUTIES OVER DAYCARE
The Department of Children and Family Services (Department) failed to maintain proper segregation of duties over access to the Department’s daycare providers’ licensing information, child care information and billing system.
The Department maintains data related to entities who provide daycare services to the children in the State’s care and specific data related to the children themselves. As a result of these services, the Department makes payment to these entities. During the audit period, the Department expended $34,778,402 related to daycare services.
We conducted testing of the users’ access right to daycare providers’ licensing information, child care information and billing system to determine if proper segregation of duties had been implemented. Individuals should not have the ability to establish a daycare provider, a child-in-care, and to submit and approve billings and payments. Our testing results noted 45 of 2,348 (2%) users had rights to enter, modify and delete daycare providers’ information, child information and billing information. As a result, the Department failed to maintain proper segregation of duties.
We also reviewed the Department’s user access review reports to the daycare providers’ licensing information, child care information and billing system for three months, noting three of seven (43%) monthly reports had not been reviewed.
We recommended the Department implement proper segregation of duties and ensure no one individual has the rights to enter, modify, and delete daycare providers’ information, child information and billing information. Additionally, we recommended the Department complete the monthly user access reviews.
The Department agreed with the auditor’s recommendation and stated it has begun the process of conducting an extensive review of its daycare processes and will make all necessary changes to ensure appropriate segregation of duties are in place over its Daycare system. The Department also stated it will review its procedures over access rights review to ensure they are up to appropriate standards
LACK OF DOCUMENTATION OF MONITORING OF CONTRACTS WITH PROVIDER AGENCIES
The Department of Children and Family Services (Department) did not adequately document the monitoring of its provider agencies for compliance with contract terms.
The Department could not provide documentation demonstrating it had conducted monitoring of its non-substitute care service provider agencies. The non-substitute care provider agencies provide services which include, but are not limited to, counseling, habilitation, advocacy centers, system-of-care grants, and other child specific services. Specifically, we noted the Department was unable to provide documentation it had conducted monitoring, as specified in the contracts, for 12 of 60 (20%) contracts tested. Total grants expended for the 12 contracts during fiscal years 2021 and 2022 totaled $15,593,544. Due to the Department being unable to provide documentation to demonstrate it had conducted monitoring, we cannot determine whether annual reviews required to be submitted by 9 of 12 grantees were performed by Department staff.
We recommended the Department perform and document adequate monitoring on all contracts to ensure contract payments are for services received and program plans and performance goals of the provider agencies are achieved.
The Department agreed with the finding and stated it will ensure staff serving in the contract monitoring role are performing monitoring duties pursuant to program plans. The Department further stated it has added regional leadership roles to increase the oversight of regional based staff after facing staffing shortages during the time of this audit which was also during the global pandemic. Lastly, the Department stated it is also pursuing a new performance monitoring tool to aid in tracking and documentation of monitoring agency contracts.
VOUCHER PROCESSING WEAKNESSES
The Illinois Department of Veterans’ Affairs (Department) did not exercise adequate controls
over its voucher processing during the examination period.
We conducted an analysis of the Department’s expenditure data for Fiscal Year 2021 and Fiscal Year 2022 and noted the following:
• The Department did not timely approve 3,004 of 15,454 (19%) vouchers processed during Fiscal Year 2021. The vouchers were submitted to the Office of Comptroller (Comptroller) between 31 and 422 days late.
• The Department did not timely approve 1,773 of 13,143 (13%) vouchers processed during Fiscal Year 2022. The vouchers were submitted to the Comptroller between 31 and 366 days late.
We recommended the Department process proper bills within 30 days of receipt.
The Department accepted our recommendation and stated it would take the necessary steps to comply with statutory requirements.
FAILURE TO NOTIFY STUDENTS UPON DISBURSEMENT OF FUNDS
The Chicago State University (University) did not notify the students upon disbursement of grant funds and loans.
During testing of nine students, who received Teacher Education Assistance for College and Higher Education Grants (TEACH) totaling $21,220, we noted six (67%) students with grant disbursements totaling $16,505 were not notified by the University indicating the funds were credited to the students’ accounts.
In addition, during testing of 25 students, who received Federal Direct Student Loans totaling $447,363, we noted 25 (100%) students were not notified by the University indicating the funds were credited to the students’ accounts.
We recommended the University strengthen controls to ensure timely notification is sent to students upon disbursement of grant funds and loans.
The University agreed with the recommendation and stated the University is developing a corrective action plan for implementation.
FAILURE TO COMPLY WITH EXECUTIVE ORDER 2016-01
The Department of Innovation and Technology (Department) failed to comply with provisions of Executive Order 2016-01: Executive Order Consolidating Multiple Information Technology Functions Into A Single Department of Innovation and Technology.
During our testing, we noted 42 agencies had transferred their Information Technology (IT) functions to the Department. However, we noted the Department had not entered into Intergovernmental Agreements (IGA) with six (14%) and seven (17%) agencies for Fiscal Years 2021 and 2022, respectively.
Additionally, of the agencies statutorily required to transfer their IT functions to the Department, the IGAs were not executed in a timely manner during the examination period. Specifically,
• 35 of 36 (97%) Fiscal Year 2021 IGAs were not executed timely.
• 35 of 35 (100%) Fiscal Year 2022 IGAs were not executed timely.
The IGAs were executed 168 to 998 days after the effective date of the agreement.
We recommended the Department work with the agencies to ensure IGAs are timely executed and IGAs are entered into with all transferring agencies.
The Department accepted the finding and recommendation and stated it had not completed the transfer of all personnel and property for agencies identified in the statute and continues to work with agencies to complete the transfer of personnel and property as required by the Executive Order and Department of Innovation and Technology Act (20 ILCS 1370). The Department further stated it had provided IGAs for client agency signature to all transferring agencies and follows up with the agencies to have agreements in place, Lastly, the Department stated they were funded via charging back agencies for costs and the significant delay in both the payment cycle and the deposit of cash into the Department’s Technology Management Revolving Fund has prevented the full transfer of the remaining personnel to Department payroll.
INADEQUATE CONTROLS OVER ACCESS TO APPLICATIONS AND DATA
The Department on Aging (Department) lacked adequate internal controls over users’ access to its applications and data.
We requested the Department to provide the populations of users to the Facility Case Review, Adult Protective Services Billing, and Critical Event Reporting systems to determine if the users’ access was appropriate. In response to our request the Department provided the populations; however, they did not provide documentation demonstrating the user population for Facility Case Review system was complete and accurate. Due to these conditions, we were unable to conclude the Department’s population records were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36).
Even given the population limitation noted above, we performed testing of users’ access rights, noting:
• Two of 2 (100%) Facility Case Review system users’ access were not appropriate.
• Four of 9 (44%) Adult Protective Services Billing system users’ access were not appropriate.
• Two of 8 (25%) Critical Event Reporting system users’ access were not appropriate.
Further, we noted the Department could not provide the following:
• Evidence of security software accounts had been reviewed.
• Evidence of periodic user access reviews for the following applications managed by the Department of Innovation and Technology (DoIT):
— Central Time and Attendance
— E-Time
— Central Payroll System
— ERP
We recommended the Department strengthen its controls to ensure complete and accurate user populations, along with supporting documentation, is retained. In addition, we recommended the Department conduct and document periodic reviews of users of its systems to ensure access is appropriate.
The Department partially concurred with the finding and stated prior to the transformation to DoIT in April 2022, the Department utilized DoIT’s methodology. The Department further stated it will strengthen internal controls to ensure complete and accurate user populations, along with supporting documentation, and retain documentation of periodic reviews.
INADEQUATE INTERNAL CONTROLS OVER INTERGOVERNMENTAL AGREEMENTS
The Illinois State Toll Highway Authority (Tollway) did not have adequate internal controls in place to ensure transactions over Intergovernmental Agreements (IGA) were properly recorded for financial reporting purposes.
The Tollway enters into intergovernmental agreements with other governments and municipalities for cost sharing on construction projects that impact both the Tollway and other entities’ property. The intergovernmental agreements itemize the estimated costs to each party. The Tollway utilizes percentage of completion reports to calculate the estimated amount due from each entity at a given point in time. The amount due from the other entity is recorded as a receivable and as a reduction of Assets Under Construction (capital asset – construction in progress). IGA revenue and expense are recognized for the same amount. Upon completion of the project, final actual costs are determined, and the final receivable is adjusted to the earned amount. The net effect is no impact to the Tollway’s Net Position.
During our testing of Intergovernmental Receivables, we noted the Tollway improperly recorded receivable balances from two entities within an IGA resulting in an overstatement of Intergovernmental Receivables of $4,971,539, an understatement of Capital Assets of $4,971,539, and an overstatement of both Revenue and Expense of $4,971,539. All errors net to a zero effect on the Statement of Net Position and the Statement of Revenue, Expenses and Changes in Net Position.
After extrapolating the known errors over the sample population of $12,829,216, the estimated projected impact of these errors is an overstatement of Intergovernmental Receivables of $8,100,807, an understatement of Capital Assets – Construction in Progress of $8,100,807, and an overstatement of both Revenues and Expenses under IGA’s of $8,100,807. The net effect of this error on net position is $0. Management elected not to record the proposed adjusting entry for this error.
We recommended the Tollway implement controls to ensure Intergovernmental Agreements are reviewed and accurately accounted for to reduce the risk of future potential misstatements.
Tollway officials concurred with the recommendation and stated they have enhanced their verification procedures for Intergovernmental agreement accounting to include additional verifications of payment terms and balances with Tollway staff involved in drafting and administering the agreements.
NONCOMPLIANCE WITH THE STUDENT ONLINE PERSONAL PROTECTION ACT
The Illinois State Board of Education (Agency) did not comply with the Student Online Personal Protection Act (Act).
During our testing, we noted the Agency failed to publish and maintain on its website a list of all entities or individuals the Agency contracts with or has written agreements with that hold covered information and a copy of each contract or written agreement.
We recommend the Agency establish internal controls to determine which entities or individuals the State Board contracts with or has written agreements with that hold covered information and publish a list of those entities along with a copy of each contract or written agreement in accordance with the State law.
The Agency agreed with the finding and stated it has implemented the recommended changes to correct the noncompliance issue as the Research Department has now published the required list on its website and has taken steps to automate this process through its Contract Authorization Form System.
FAILURE TO FULLY UTILIZE THE STATE’S ENTERPRISE RESOURCES PLANNING SYSTEM
The Illinois Gaming Board (Board) did not utilize all capabilities of the State’s Enterprise Resource Planning (ERP) system, which resulted in unnecessary inefficiency.
During our examination, we noted the Board recorded financial transactions; however, the Board did not fully utilize the Project/Cost Accounting (Controlling), Funds Management, or General Ledger ERP modules.
• The Controlling module collects, analyzes, distributes, allocates, and reports on financial data according to cost objects.
• The Funds Management module maintains, tracks, and reports on revenues, expenditures, commitments, obligations, and transfers for each fund and budget.
• The General Ledger module records the financial transactions of an agency and the State chart of accounts.
The concept of accountability for use of public resources and government authority is key to our governing processes. Management and officials entrusted with public resources are responsible for carrying out public functions and providing service to the public effectively, efficiently, economically, and ethically within the context of the statutory boundaries of the specific government program.
We recommended the Board work with the Department of Innovation and Technology to transition and fully utilize the Project/Cost Accounting (Controlling), Funds Management and General Ledger ERP modules of the ERP system.
Board management agreed with the recommendation and stated the Board is currently working to incorporate additional ERP functionality to assist with fiscal process performed throughout the year.
INADEQUATE CONTROLS OVER SERVICE PROVIDERS
The Office of Comptroller (Office) had not implemented adequate controls over its service providers.
We requested the Office provide the population of service providers utilized during the examination period to determine if the Office had reviewed the internal controls of its service providers. In response to our request, the Office provided a listing; however, the Office did not provide documentation demonstrating the listing was complete and accurate.
Due to these conditions, we were unable to conclude the Office’s population records were sufficiently precise and detailed under the Professional Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36).
Even given the population limitations noted above, we performed testing over three of six service providers identified by the Office. The Office utilized service providers for hosting services and software as a service. Our testing noted the Office had not:
• Obtained System and Organization Control (SOC) reports or conducted independent internal control reviews for the three service providers.
• Conducted an analysis to determine the impact of noted deviations within the SOC report.
• Monitored and documented the operation of the Complementary User Entity Controls (CUECs) related to the Office’s operations.
• Obtained and reviewed SOC reports for subservice providers or perform alternative procedures to determine the impact on its internal control environment.
• Developed or implemented procedures for monitoring service providers.
We also noted the service providers’ contracts did not contain requirements for independent reviews to be conducted.
We recommended the Office strengthen its controls in identifying and documenting all service providers utilized. Further, we recommended the Office:
• Obtain SOC reports or conduct independent internal control reviews.
• Conduct an analysis to determine the impact of noted deviations within the SOC report.
• Monitor and document the operation of the CUECs related to the Office’s operations.
• Obtain and review SOC reports for subservice providers or perform alternative procedures to determine the impact on its internal control environment.
• Develop and implement procedures for monitoring service providers.
• Ensure the service providers’ contract contain requirements for independent reviews to be conducted.
The Office agreed with the recommendations and stated the Office was developing a process and formalizing procedures to identify, obtain, and document review of service organizations.
NONCOMPLIANCE WITH THE CHICAGO STATE UNIVERSITY LAW
The Chicago State University (University) did not fully comply with the requirements of the Chicago State University Law regarding flexible hours positions.
The University Board of Trustees (Board) established goals for flexible hours positions at the University. The Board passed a resolution in 2013 to achieve a goal of having 20% of its employees working flexible schedules by 2016. During testing, we noted the University reached its 20% goal; however, the University did not begin the process of evaluating the effectiveness and efficiency of the flexible hours program.
We recommended the University evaluate the effectiveness and efficiency of the program in compliance with the requirements of the Chicago State University Law.
University officials agreed with the recommendation and stated the University is implementing a corrective action plan to demonstrate an evaluation on the efficiency and effectiveness of the flexible hours program.
EXCESSIVE VACANCIES ON THE ORGANIZATIONAL CHART
The Department of Commerce and Economic Opportunity’s (Department) organizational chart contains excessive vacancies and no longer reflects a usable representation of the organizational structure of the Department.
During the examination, we obtained the Department’s most recently compiled organizational chart. For the two years ended June 30, 2022, the Department’s organizational chart depicts 772 positions, of which 194 were filled and 578 were vacant (75%).
The Department’s headcount, going back approximately 20 years, was highest in Fiscal Year 2004 at 519 employees. During inquiry with Department management during our examination, Department management stated it does not view “vacant” positions on the organizational chart as needed to be filled in a specific time frame. Rather, vacancies on the organizational chart are place-holders for positions that can be filled and are part of the approved headcount. We recommended the Department annually evaluate and update its organizational chart to reflect the true reporting lines and programs of the Department.
The Department disagreed with our recommendation and stated that it believed the criteria applied to the Department was a best practice for non-governmental organization. The Department stated that governmental agencies do not operate in the same manner as non-governmental organizations due to the levels of bureaucracy required. The Department stated that in order to be agile and swiftly responsive to new or changing legislation, the Department strategically maintains positions in the organization chart because lead times for establishing positions have historically been very long. The Department stated that lead times for many of its position types have recently been reduced, and therefore the Department began the process to eliminate many of the vacant positions on the organization chart.
Accountants commented that an organizational chart should be a pictorial representation of an agency’s lines of authority and communication to assist management with managing the organization and only include vacancies expected to be filled within a reasonable period of time. The Department’s organizational chart contains so many vacancies
that its usefulness as a management tool has been significantly degraded.
NONCOMPLIANCE WITH EXTENDED SUPERVISION OF SEX OFFENDER REQUIREMENTS OF THE UNIFIED CODE OF CORRECTIONS
The Department of Corrections (Department) failed to report individuals’ progress under the extended supervision of sex offender requirements of the Unified Code of Corrections (Code).
During Fiscal Year 2021 and Fiscal Year 2022, there were a total of 446 and 498, respectively, individuals released under extended mandatory supervision of sex offender requirements. These individuals are defined by the Code (730 ILCS 5/5-8-1(d)(4)) as including those who committed the offense of predatory criminal sexual assault of a child, aggravated criminal sexual assault, criminal sexual assault, certain offenses of aggravated child pornography, or manufacture or dissemination
of child pornography after specified dates, whose terms of mandatory supervised release range from 3 years to life.
During the examination period, the Department did not submit the required progress reports to the chief of police or sheriff in the municipality or county in which the offender resides and is registered.
The auditors recommended the Department comply with the sex offender progress report requirements of the Code. The auditors further recommended the Department pursue legislative change if they do not believe the current statutory provisions are reasonable and appropriate.
The Department stated that the recommendation is implemented and the Department is in the process of seeking legislative remedy.
FAILURE TO EXECUTE INTERGOVERNMENTAL AGREEMENTS
The Illinois Housing Development Authority (Authority) did not execute an intergovernmental agreement with other State of Illinois agencies before being subgranted funding for the Coronavirus State and Local Fiscal Recovery Funds (SLFRF) and Housing Assistance Fund (HAF) programs.
During our testwork over the SLFRF and HAF programs, we requested IHDA provide us with the grant agreement/subrecipient agreements between IHDA and other State of Illinois agencies who passed through SLFRF and HAF funding to the Authority during fiscal year 2022. After discussion with Authority management, we learned that no such subrecipient agreements/intergovernmental agreements were executed for the SLFRF and HAF funding IHDA received.
We recommended the Authority obtain intergovernmental agreements with other State of Illinois agencies before being subgranted funding.
Authority officials agreed with the recommendation.
INADEQUATE INTERNAL CONTROLS OVER CENSUS DATA
The Western Illinois University (University) did not have adequate internal control over reporting its census data and did not have a reconciliation process to provide assurance census data submitted to its pension and other postemployment benefits (OPEB) plans was complete and accurate. We noted the following:
• The University had not performed an initial
complete reconciliation of its census data recorded by State Universities Retirement System (SURS) to its internal records to establish a base year of complete and accurate census data.
• After establishing a base year, the University had not developed a process to annually obtain from SURS the incremental changes recorded by SURS in their census data records and reconcile these changes back to the University’s internal supporting records.
• During our cut-off testing of data transmitted by the University to SURS, we noted 8 instances of an active employee becoming inactive or part-time and 1 instance of an inactive employee becoming retired were reported to SURS after the close of the fiscal year in which the event occurred.
We recommended the University continue to work with SURS to complete the base year reconciliation of Fiscal Year 2021 active members’ census data from its underlying records to a report of census data submitted to SURS’ actuary and CMS’ actuary.
After completing an initial full reconciliation, the University may limit the annual reconciliations to focus on the incremental changes to the census data file from the prior actuarial valuation, provided no risks are identified that incomplete or inaccurate reporting of census data may have occurred during prior periods. Any errors identified during this process should be promptly corrected by either the University or SURS, with the impact of these errors communicated to both SURS’ actuary and CMS’ actuary. Further, we recommended the University ensure all events occurring within a census data accumulation year are timely reported to SURS so these events can be incorporated into the census data provided to SURS’ actuary and CMS’ actuary.
University officials agreed with the finding and stated it has submitted all data to SURS as part of a baseline reconciliation process and an annual reconciliation process will be created and enacted moving forward.
PROPERTY CONTROL WEAKNESSES
The Department of Military Affairs (Department) did not maintain sufficient controls over its property and related fiscal records.
During testing, we noted the Department did not maintain detailed supporting documentation for its quarterly Agency Report of State Property (Form C-15) filed with the Office of Comptroller (Comptroller). As of June 30, 2021, and 2022, the Department reported total property of $462.1 million and $472.6 million, respectively. Due to the lack of detailed documentation, the following compliance examination procedures could not be performed:
• The State property listing provided by the Department in response to audit requests could not be reconciled with the ending balances reported in the Form C-15 Reports for the fourth quarters ended June 30, 2021, and June 30, 2022, and to the balances reported in the annual inventory certifications submitted to the Department of Central Management Services (CMS).
• Annual additions, deletions and net transfers report provided by the Department could not be agreed to activity reports in the quarterly Form C-15 Reports submitted to the Comptroller.
• Property additions per the Form C-15 Reports could not be reconciled to the Comptroller’s records reflected on the Object Expense/Expenditures by Quarter Report (SA02).
• During testing, the Department failed to provide documentation of supporting calculations for the SCO-537/538 forms, and therefore, we were unable to test if the Department appropriately recorded the purchase as a building improvement, land improvement, or site improvement.
Due to these conditions, we were unable to conclude whether the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Department’s equipment.
Even given the population limitations noted above which hindered our ability to conclude whether selected samples were representative of the population as a whole, we performed testing using the records available.
Some of the more significant issues noted included the following:
• Thirteen of 60 (22%) equipment items were not found in the Department’s property listing.
• Thirty-eight of 60 (63%) equipment items, totaling $689,471, were recorded in the Department’s property records more than 90 days after acquisition, ranging from 42 to 1,408 days late.
• Four of 60 (7%) equipment items, totaling $172,020, were recorded twice in the Department’s records.
• Twenty-seven of 29 (93%) permanent improvement vouchers tested, totaling
$7,381,530, were remodeling, renovation, and site improvement expenditures, but were not added to the Department’s property records.
• For nine of nine (100%) Capital Development Board (CDB) projects tested, totaling $12,816,993 as of June 30, 2022, the Department failed to record transfers-in from CDB to the Department’s property records.
We recommended the Department take actions to strengthen its internal controls over the recording and reporting of its State property and equipment transactions to ensure property records accurately reflect equipment on-hand in accordance with State regulations, and equipment items are properly inventoried and tagged. Further, we recommended the Department implement a corrective action plan to complete a full inventory to identify and correct its accumulated property and equipment errors.
Department officials agreed with the finding.
INFORMATION SECURITY WEAKNESSES
The Illinois State University (University) had multiple computer security weaknesses.
During testing, we identified the following security weaknesses:
• The University’s Information Technology (IT) policies and procedures were updated during the audit period to reflect the University’s current environment or address future changes in processes and new systems, however the updates have not been reviewed and approved.
• The University did not formally document whether users’ roles within its applications were appropriate for all departments.
• The University did not conduct segregation of duties reviews between development and production environments for systems where University personnel have development responsibilities.
• For Colleague, an application used for financial reporting, and iPeople, the University’s human resources and payroll application, we noted some users still had access to the application after the University’s period for removing access had passed.
• During our review of user access listings during December 2021, we noted some users with general access to the various University systems, which was previously necessary based on their prior job duties, still had this access after their termination. While it is possible some of this access was appropriate after the employee’s termination date, the University was unable to show the access rights which remained were appropriate.
• The University has not established a process or procedure for timely documenting its risk analysis and reasoning for when a failed patch of its system endpoints and servers can be exempted.
We recommended the University implement adequate security, including:
• approving the updated policies and procedures to (1) reflect the University’s current environment and (2) address future changes in processes and new systems;
• document, during formal user access reviews, the appropriateness of each user’s access to the University’s applications for all departments;
• perform an annual review of segregation of duties or compensating controls exist for University personnel with development responsibilities;
• ensuring access to all applications is terminated in a timely manner and any access remaining after an individual departs from the University is limited and appropriate; and,
• establishing a process or procedure to ensure all devices are timely patched with vendor updates and that any failed patches of system endpoints and servers have a documented risk assessment and reasoning for why an exemption to the patching requirement is necessary.
University officials concurred with our finding.
INADEQUATE CONTROLS OVER HISTORICAL ARTIFACTS
The Department of Natural Resources (Department) did not have adequate controls over historical artifacts.
The Department did not maintain a central inventory of its historical artifacts. Each historical site maintained their own inventory listing and there was not an independent review of items added to or removed from the listing maintained by each site. Also, physical inventory counts were performed by the custodians of the artifacts, not by independent persons.
Due to the deficiencies noted above, we were unable to conclude the Department’s population records of historical artifacts were sufficiently precise and complete under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Department’s compliance relative to historical artifacts.
Even given the population limitations noted above which hindered our ability to conclude whether the records were complete and accurate, we requested the Department provide the population of historical artifacts for three historical sites and noted the following:
During our physical inspection of 30 historical artifacts:
• Three (10%) artifacts were found in a location different from the location indicated in the artifacts listing.
• Seven (23%) artifacts could not be located.
• One (3%) artifact’s ID number did not correspond to the ID number listed on the artifact.
During our tracing of 30 historical artifacts to the Department records:
• One (3%) artifact was not tagged with an artifact ID number, therefore, the item could not be traced to the artifact listing.
• Five (17%) artifacts could not be traced to the artifacts listing.
We recommended the Department maintain a central inventory listing of historical artifacts and implement internal controls requiring additions and deletions to the artifacts catalog be independently reviewed and approved. We also recommended the Department ensure the inventory of all historical artifacts is performed and/or reviewed by independent personnel. Further, we recommended the Department strengthen its internal controls to ensure records are accurately maintained and artifacts are properly accounted for.
Department officials agreed with our recommendation and stated they have established a collections committee for reviewing the acquisition/removal of artifacts. Department officials also stated they would continue to work towards obtaining an independent review of the inventory of historical artifacts, but lack of manpower was hampering their efforts to comply with independent reviews.
INADEQUATE CONTROLS OVER RECEIPTS AND RECONCILIATIONS
The Illinois State Police (Department) did not maintain adequate internal controls over receipts and reconciliations.
Controls Over Cash Receipts
During testing, we requested the Department provide the population of cash receipts received by the Department during Fiscal Years 2021 and 2022 for the State Asset Forfeiture Fund (Fund 514) in order to test compliance applicable to those receipts. In response to our request, the Department provided a listing of cash receipts. We noted the Department’s population of cash receipts did not agree to the documentation in the Department’s Revenue Status Report (SB04) reconciliations for Fiscal Year 2021 or Fiscal Year 2022.
Due to these conditions, we were unable to conclude the Department’s population records were sufficiently precise and detailed under the Attestation Standards promulgated by the American Institute of Certified Public Accountants (AT-C § 205.36) to test the Department’s compliance relative to cash receipts.
Additionally, we noted the Department did not maintain proper segregation of custody and recordkeeping duties over receipt collection and processing. One employee was responsible for:
• Preparing a log of receipts received;
• Recording receipts in the receipts ledger; and
• Depositing funds into the State Treasury.
Controls Over Cash Reconciliations
During testing of Fiscal Year 2022 and 2021 reconciliations between the Comptroller’s records and the Department’s records for Fund 514, we noted:
• Monthly SB04 reconciliations for Fiscal Years ended June 30, 2022 and 2021 contained unexplained reconciliation discrepancies totaling a net amount of $563 and $896, respectively.
• SB04 reconciliations for Fiscal Year 2021 were not reconciled by receipt account; whereby each Fund was reconciled in total.
• Monthly Appropriation Status Report (SB01) and Object Expense/Expenditure by Quarter Report (SA02) final lapse period reconciliations for the Fiscal Years Ended June 30, 2022 and 2021 contained unexplained and uncorrected
reconciliation discrepancies. The net discrepancies shown on the September 30, 2021 and August 31, 2022 SB01 and SA02 reconciliations totaled $563 and $1,810, respectively.
• Five of 29 (17%) monthly SB01 and SA02 reconciliations were not performed within 60 days following the end of the month. The SB01 reconciliations were completed 1 to 446 days late.
• Three of 29 (10%) monthly SB01 and SA02 reconciliations did not have documentation retained to indicate the date prepared and supervisor review of the reconciliation.
• Seven of 24 (29%) Monthly Cash Report (SB05) reconciliations were not performed within 60 days following the end of the month. The SB05 reconciliations were completed 1 to 82 days late.
• Four of 24 (17%) SB05 reconciliations were not reviewed by a supervisor or an independent person. In addition, one of four SB05 reconciliations did not indicate when the reconciliation was prepared.
We recommended the Department establish and document proper segregation of duties over the receipts process, establish internal controls to ensure receipts and expenditures are properly reconciled and records are timely corrected, and accurate documentation is maintained to support receipt activities and related reviews performed.
Department management concurred with the finding and stated they had made progress in the timeliness of the reconciliations between Fiscal Years 2021 and Fiscal Years 2022; however, turnover and system errors remained a barrier. Additionally, the Department is developing a plan to provide additional support for reconciliations and will continue to work with the Department of Innovation and Technology to address errors in the reports produced by the financial system.
FAILURE TO COMPLY WITH THE SEIZURE AND FORFEITURE REPORTING ACT
The Illinois State Police (Department) did not comply with the Seizure and Forfeiture Reporting Act (Act).
The Act (5 ILCS 810/10(d)), effective August 3, 2018, requires the Department to adopt rules to administer the asset forfeiture program, including the categories of authorized expenditures consistent with the statutory guidelines for each of the included forfeiture statutes, the use of forfeited funds, other expenditure requirements and the reporting of seizure and forfeiture information. However, the Department had not adopted rules regarding the categorization of authorized expenditures to ensure they were consistent with the statutory guidelines for each forfeiture statute.
Due to the lack of rules we were unable to test the disbursements to determine if they were made in accordance with the Act. Furthermore, we could not determine if the administrative costs charged to the fund were reasonable.
We recommended the Department comply with the Act and adopt rules regarding the disbursement of forfeitures.
The Department concurred with the finding and stated they had begun the process of revising the rules associated with 5 ILCS 810/10 in August 2021. The Department has now completed responses to questions received during public comment and returned them to the Joint Committee on Administrative Rules. While the rest of the process is outside of the control of the Department, it is hoped that final rules will be published by early Fiscal Year 2024.
INADEQUATE INTERNAL CONTROLS OVER STUDENT ENROLLMENT REPORTING
The Western Illinois University (University) did not have adequate procedures in place to complete accurate and timely enrollment reporting for all students within the required time period.
During our testing of Pell or Direct Loan borrowers that had a reduction or increase in attendance levels at the University, we noted 4 out of 40 (10%) students whose program-level record was not updated to reflect the student’s program enrollment status. Additionally, we noted 29 out of 40 (73%) students whose campus-level record and program-level record were not updated within the required time frame, ranging from 6-40 days late.
We recommended the University implement controls to ensure that all program level detail is being appropriately reported through NSC to NSLDS and that submissions of degree confirmations to NSC are appropriate to ensure enrollment status changes are reported at least every 60 days. We also recommended these controls be monitored to ensure that all necessary information is reported within the required time frame.
University officials agreed with the finding and stated procedural changes will be implemented to ensure compliance.
FEDERAL AUDITING
STATEWIDE SINGLE AUDIT UPDATE
The purpose of the Statewide Single Audit is to fulfill the State mandate in accepting federal funding. It includes all State agencies that are part of the primary government and expend federal awards. In total, 45 Illinois State agencies expended federal financial assistance in FY 2022.
The schedule of expenditures of federal awards reflects total expenditures of $51.222 billion for the year ended June 30, 2022. Overall, the State participated in 315 different federal programs, however, 10 of these programs or program clusters accounted for 85.3% of the total federal award expenditures.
Federal Agencies Providing Federal Funding
For the year ended June 30, 2022
(Amounts in millions)
Health & Human Services: $ 22,713
Agriculture: 8,215.9
Treasury: 5,857.8
Education: 5,735.3
Labor: 5,728.9
All Others: 2,970.7
Total Federal Award Expenditures: $ 651,222.1
Source: FY2022 State of Illinois Single Audit Report
Overall, 12 State agencies accounted for approximately 98.1% of all federal dollars spent during FY2022.
SUMMARY OF FEDERAL SPENDING BY STATE AGENCY
For the year ended June 30, 2022
(Amounts in millions)
Healthcare & Family Services: $ 19,294.3
Human Services: 9,656.5
Employment Security: 8,269.9
Board of Education: 5,295.0
Student Assistance Commission: 2,174.1
Transportation: 1,807.2
Commerce & Economic Opportunity: 1,126.1
Public Health: 690.9
Emergency Management Agency: 564.2
Revenue: 545.6
Corrections: 435.6
Children & Family Services: 394.8
All Others: 967.9
Total Federal Spending: $ 51,222.1
Source: FY2022 State of Illinois Supplemental Report of
Federal Expenditures by Agency/Program Fund.
Our audit testing focused primarily on the 19 major programs expending about $44.4 billion in federal awards.
Our report contained 34 findings related to 13State agencies.
The Performance Audit Program
Performance audits are conducted at the request of legislators to assist them in their oversight function. Based on the scope specified in the resolution or the law requesting the audit, State agencies’ programs, functions, and activities are reviewed. The audits determine if the services are provided as intended by the General Assembly and directly impact and improve agency operations.
The General Assembly uses performance audit information to develop legislation, to deal with budgetary issues, and to direct agencies to improve programs. Some audits produce immediate changes. In other instances, significant changes may not be seen for several years. The length of time it takes to see changes is due to the process of transforming the audit findings and recommendations into legislative bills and converting bills into law; additionally, once a law is implemented, the effects may not be apparent for some time.
The National State Auditors Association (NSAA) established the Excellence in Accountability
Awards Program in 2003 to recognize outstanding performance audits and special projects. Performance audits performed by the Office of the Auditor General (OAG) have received six NSAA awards in past years:
• 2019 Performance Audit of the Department of Children and Family Services Investigations of Abuse and Neglect;
• 2014 Neighborhood Recovery Initiative Audit (Honorable Mention);
• 2012 Management Audit of the Department of State Police’s Administration of the Firearm Owner’s Identification Act;
• 2007 Performance Audit of the Mass Transit Agencies of Northeastern Illinois: RTA, CTA, Metra, and Pace;
• 2004 Management and Program Audit of the Rend Lake Conservancy District; and
• 2003 Management Audit of the Illinois State Toll Highway Authority.
Another national organization, the National Legislative Program Evaluation Society (NLPES), also has an Impact Award which is given annually to audits that demonstrate significant dollar savings, program improvements, or impact from a legislative and public perspective. The OAG has received the NLPES award for many audits as well:
• 2021 Management Audit of the Firearm Owner’s Identification Card and Concealed Carry License Program;
• 2021 Performance Audit of the Department of Children and Family Services LGBTQ Youth in Care;
• 2019 Performance Audit of the Department of Children and Family Services Investigations of Abuse and Neglect;
• 2019 Performance Audit of Legionnaires’ Disease at the Quincy Veterans’ Home;
• 2018 Performance Audit of Medicaid Managed Care Organizations;
• 2016 Performance Audit of the College of DuPage;
• 2014 Neighborhood Recovery Initiative Audit;
• 2012 Management Audit of the College Illinois! Prepaid Tuition Program’s Administrative Operations;
• 2012 Management Audit of the Department of State Police’s Administration of the Firearm Owner’s Identification Act;
• 2011 Management Audit of the State’s Financial Reporting System;
• 2010 Program Audit of the Covering ALL KIDS Health Insurance Program;
• 2009 Management and Program Audit of the Illinois State Police’s Division of Forensic Services;
• 2008 Performance Audit of the Department of Healthcare and Family Services’ Prompt Payment Act Compliance and Medicaid Payment Process;
• 2007 Performance Audit of the Mass Transit Agencies of Northeastern Illinois;
• 2006 Management Audit of the Flu Vaccine Procurement and the I-SaveRx Program;
• 2004 Management and Program Audit of the Rend Lake Conservancy District;
• 2003 Management Audit of the Illinois State Toll Highway Authority;
• 2002 Management Audit of Agency Use of Internet User Tracking Technology;
• 2001 State Board of Education and Other State Agencies Providing Funding to Illinois’ Regional Offices of Education;
• 2000 Management Audit of Child Support State Disbursement Unit;
• 1999 Management Audit of the Pilsen Little Village Community Mental Health Center; and
• 1998 Management Audit of Tuition and Fee Waivers.
PERFORMANCE AUDITS COMPLETED IN 2023
The Auditor General released four performance audits and three reviews in 2023. The performance audits released are listed below. Performance audits released in 2023 included 31 recommendations for improvement.
ADMINISTRATION OF PHARMACY BENEFIT MANAGERS
On April 9, 2022, the Illinois Senate adopted Senate Resolution Number 792, which directed the Office of the Auditor General to conduct a performance audit of the Department of Healthcare and Family Services’ (HFS) administration of pharmacy benefit managers (PBMs).
PBMs are contracted by Managed Care Organizations (MCOs) to be responsible for the purchasing and distribution of drugs under the plan. Subsequently, PBMs enter into contracts with individual pharmacies to provide prescription drugs and related products and services. Claims are generally filed at the point of sale at the pharmacy when the beneficiary fills the prescription, unlike the claims process for MCOs where claims are filed after the service occurs. PBMs are paid through the capitation rates given to MCOs, which are actuarially calculated; these payments cover pharmaceuticals as well as dispensing and administration fees. According to HFS, PBMs are under the dual oversight of the contracting MCO and HFS.
The audit found:
• In calendar year 2021, HFS paid MCOs $16.2 billion in capitation payments, of which $2.64 billion was paid to PBMs. Of that, $2.55 billion went to individual pharmacies for covered drugs. HFS received $1.47 billion in drug rebates from pharmaceutical manufacturers.
• There is little monitoring being done of the PBMs by HFS. HFS did not have complete copies of contracts between the MCOs and the PBMs necessary to conduct monitoring of the contract provisions. HFS also does not monitor contracts between the PBMs and the pharmacies and, as such, is unaware of the rates paid to the pharmacies by the PBMs. There is no verification being conducted to ensure that the reimbursements to PBMs by MCOs are accurate and reflect the actual payments paid to the pharmacies. In addition, HFS does not monitor actual reimbursement rates or rebates. The entire monitoring function of the rates paid to pharmacies by PBMs is limited and based on self-reported, unaudited encounter data. As a result, HFS was unable to provide support for adequate monitoring of the PBMs.
• Illinois MCOs paid PBMs over $2.2 billion in calendar year 2020 for pharmacy services, and over $2.6 billion in calendar year 2021. The PBMs paid pharmacies $2.1 billion during calendar year 2020 and $2.5 billion during calendar year 2021.HFS’s contracted actuary, Milliman, reviews encounter data and reimbursements; however, it does not audit or test self-reported data.
• MCOs were not in full compliance with all statutory requirements for their contracts with PBMs, and HFS does little to no monitoring to ensure that all requirements are met. Contracts between PBMs and pharmacies generally meet statutory requirements, but were missing many of the same provisions that were not in the MCO contracts.
• HFS was not engaging in monitoring practices of PBMs as mandated by the Illinois Public Aid Code (305 ILCS 5/5-36(c) through (j)) which establishes several provisions for monitoring PBMs under MCOs.
• Auditors also determined that HFS did not define “conflicts of interest” in administrative rule as required by 305 ILCS 5/5-36(d).
• Contractually negotiated reimbursement rates and administrative fees between MCOs and PBMs differ for each contract, which resulted in varying reimbursement rates that were difficult to review. Because of the varying reimbursement rates and administrative fees, auditors could not verify the amounts reported by HFS for claims paid or administrative expenses for each MCO or adequately review reimbursement practices.
• Auditors identified multiple affiliations between the MCOs, PBMs, and pharmacies that may impact the cost of the program and access to care for beneficiaries.
The audit report contained five recommendations directed to the Department of Healthcare and Family Services. The Departments agreed with the recommendations.
BUSINESS INTERRUPTION GRANT PROGRAM
Legislative Audit Commission Resolution 159, adopted September 1, 2021, directed the Auditor General to conduct a performance audit of the Business Interruption Grant (BIG) program. The BIG program was developed to provide $585 million in economic relief for small businesses hit hardest by COVID-19.
The Department of Commerce and Economic Opportunity (DCEO) had responsibility for the development and implementation of the BIG program. DCEO entered into agreements with the Departments of Human Services (DHS) and Agriculture (DOA) to assist with other components of BIG.
The audit found:
• DCEO could not provide documentation to show how or why it selected organizations to administer Round 1 of the BIG program. One of the grant administrators, as well as a DCEO official, appears to have not complied with conflict of interest policies at DCEO. The BIG grant administrators were to distribute $580 million in funds. An additional $5 million was to be administered by DOA.
• DCEO initiated the small business component of the BIG program without having emergency administrative rules in place for the administration of the program. Rules had not been implemented before the completion of Round 1 of the small business component of BIG. Additionally, even after the lack of timeliness for Round 1, DCEO was unable to amend the rules for Round 2 of the small business component of BIG timely. DCEO filed amended rules 12 days after the Round 2 application process had started, a process that utilized a preference for certain types of businesses to receive preferential treatment in the selection process.
• DCEO allowed, without verification, BIG small business grant applicants to self-certify that they complied with all laws as well as reporting other pandemic funding. We found that not all applicants’ certifications were accurate. Nonetheless, DCEO and its grant administrators awarded funding to these applicants.
• The BIG program was designated by the General Assembly to provide assistance for businesses that had losses due to COVID-19. DCEO utilized an eligibility category for the small business component of BIG that was not specified in the Public Act passed by the General Assembly. DCEO paid over $11 million to 630 applicants that applied under this eligibility designation.
• DCEO awarded small business applicants in Round 1 of the BIG program funding when the businesses were not eligible based on information submitted in the application. Our analysis found 196 ineligible applicants received $3.42 million. Additionally, the application system developed by a DCEO grant administrator that was supposed to not allow ineligible applicants to submit finalized applications failed to work as advertised.
• DCEO oversight of the award selection process for the small business component of BIG was insufficient. Our testing of the selection process found significant deficiencies in both rounds.
– In Round 1, we were only able to concur with 8 percent of the BIG awards from our sample. We determined that 16 percent of the BIG awards, totaling $430,000, in our sample were ineligible for reasons such as revenues outside the criteria or restaurants providing outdoor dining. We also questioned 76 percent of the BIG awards, totaling $1,980,000, in our sample due to lack of required documentation being submitted by the applicant.
– In Round 2, we were only able to concur with 41 percent of the BIG awards from our sample. We determined that 29 percent of the BIG awards in our sample had one or more questioned elements. Additionally, we determined that 30 percent of the awards made by DCEO in our Round 2 sampling were ineligible. Finally, questionable expenses from our selection-testing sample totaled $1,335,708 – 28 percent of all funds awarded from the
Round 2 sample.
• DCEO utilized an award determination process which failed to follow the directive of State statute relative to funding for COVID-19 losses. By rounding loss amounts up to the next $5,000, DCEO reduced the funding levels while some applicants went without funding. In our selection testing work, we found 47 percent of the awards overpaid the documented losses by a total of $171,000. Our sample of 150 award winner cases was just over 2 percent of the total awards in Round 2 of the small business component of BIG.
• DCEO and its grant administrators for the small business component of BIG awarded funding in excess of program policy. Eleven business owners received funding for businesses in excess of the three for which each owner was eligible. Total overpayment of funds totaled $220,000. DCEO is responsible for overseeing grant programs, including ones in which program administrators are utilized.
• DCEO failed to execute grant agreements with grant administrators for the small business component of the BIG program prior to the grant administrators working on the BIG program. Further, DCEO required funding applicants to submit multiple pieces of confidential information to these grant administrators that were operating without an executed grant with the State of Illinois. Finally, DCEO was unaware of the actual individuals that would view this confidential information, even though some of these individuals were temporary staff hired by the grant administrators.
• DCEO failed to maintain notifications to applicants of the BIG program. Additionally, DCEO paid an outside vendor for a mass mailing system that did not maintain a retrieval function instead of utilizing a State system at the Department of Innovation and Technology, which could have been less costly and had the ability to retrieve the notifications.
• DCEO failed to monitor that the payment of small business component funding was provided within program guidelines. During our testing we found that in 49 percent (67 of 136) of the cases, the grant administrator failed to provide funding within 14 days of DCEO approval.
• DCEO had monitoring weaknesses relative to the uses of funding provided as part of the small business component of the BIG program. DCEO failed to conduct routine monitoring of the funds provided under BIG and at times did not have documentation to conduct monitoring. The lack of documentation made it impossible for DCEO to know if the same claimed losses were utilized by an applicant to obtain funding under different programs.
• DCEO and its grant administrators failed to follow BIG program requirements relative to deducting previous awards from future BIG funding for the small business component of the program. This inaction resulted in the overpayment of $4.29 million in BIG funds.
• DCEO failed to monitor all terms of the grant agreements with grant administrators. The lack of monitoring resulted in one grant administrator not providing tax information on $4.4 million in BIG funds to 305 sub-recipients.
• DCEO did not claw back funds for noncompliance. DCEO became aware of instances of violations but did not initially have a system in place to manage businesses found to be in violation of law, regulations, and executive orders. DCEO relied on the attestations of the recipient that they would comply or were already complying with the mitigation efforts.
• Testing for the child care component and the livestock management component did not find any significant or pervasive issues. We concurred with all of the grant awards and grant denials in our sample.
The audit report contained 15 recommendations directed to the Department of Commerce and Economic Opportunity. The Department generally agreed with the recommendations.
COVERING ALL KIDS HEALTH INSURANCE PROGRAM
The Covering ALL KIDS Health Insurance Act (Act) (215 ILCS 170/63) directs the Auditor General to audit the EXPANDED ALL KIDS program every three years beginning on or before June 30, 2022 (prior to this date, audits were required annually). The Act requires that the audit include: payments for health services covered by the program; and contracts entered into by the Department of Healthcare and Family Services (HFS) in relation to the program.
The ALL KIDS program is administered by both HFS and the Department of Human Services (DHS). We have released audits annually as required from the first audit covering FY09 to the tenth and last audit covering FY18.
The audit found:
• Redeterminations of eligibility were completed late or not completed during July 2018 through March 2020. During FY19, 12,315 of the 25,907 (48%) annual redeterminations due were completed timely, and 6,466 of 25,907 (25%) annual redeterminations due were not completed. During FY20, 14,783 of the 18,841 (78%) annual redeterminations due were completed timely, and 3,559 of 18,841 (19%) annual redeterminations due were not completed. Redeterminationswere suspended beginning in March 2020 due to COVID-19.
• Auditors identified 1,328 enrollees that were over the allowable age for enrollment in the ALL KIDS program from July 2018 through March 2020. These enrollees received 11,011 services totaling $1,192,008 after the month of their 19th birthday. Beginning in March 2020, enrollees that were over the allowable age were allowed to maintain coverage because of COVID-19. Auditors also identified duplicate enrollees during FY19 through FY22.
• Auditors determined that there were enrollees that were potentially misclassified as undocumented during FY19 through FY22. For this four year audit period, we identified a total of 5,513 of 111,722 (5%) undocumented enrollees that are potentially misclassified. If these enrollees were classified as undocumented in error, the State did not receive the eligible matching federal rate funds for FY19 through FY22. At a minimum, the
State did not collect $8.2 million in federal reimbursement for this time period.
• Supporting documentation for determinations of eligibility has been an issue identified by auditors in each of the previous 10 EXPANDED ALL KIDS audits, going back to FY09. However, during this audit period we were unable to conduct fieldwork testing in order to follow up on this recommendation because of the allowances made to address COVID-19. This recommendation will be followed up on as part of future State Compliance Examinations.
The audit report contained four recommendations directed to DHS and HFS. DHS and HFS agreed with the recommendations.
IDES UNEMPLOYMENT INSURANCE PROGRAMS
On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 158 requiring a performance audit of the unemployment programs administered by the Illinois Department of Employment Security during the period of March 1, 2020, to September 6, 2021. The Resolution contained eight determinations.
Unemployment Insurance (UI) is a joint state-federal program that provides cash benefits to eligible unemployed individuals. In addition to federal and State laws already in place, there were several federal laws enacted in response to the pandemic. The Coronavirus Aid, Relief, and Economic Security Act, the Consolidated Appropriations Act, 2021, and a presidential memorandum, created additional unemployment programs for individuals who were not traditionally eligible for unemployment benefits, such as those who are self-employed or contract-based employees. The additional programs included Pandemic Unemployment Assistance (PUA), Federal Pandemic Unemployment Compensation (FPUC), Pandemic Emergency Unemployment Compensation (PEUC), Lost Wages Assistance (LWA), and Mixed Earner Unemployment Compensation (MEUC). The Department was responsible for implementing the programs and distributing benefits.
The audit found:
• Overpayments (which include fraud, non-fraud, and identity theft) were an issue in both the regular UI and PUA programs. IDES reported overpayments for FY20 to FY22 that totaled $5.24 billion; regular UI accounted for $2.04 billion and PUA accounted for $3.20 billion. Considering gross benefits associated with regular UI claims were 2.5 times higher than gross benefits associated with PUA claims, it shows the magnitude of fraud experienced in the PUA program. IDES noted stopped or recovered payments of $150.36 million and $361.34 million for the regular UI and PUA programs respectively.
• Many decisions made during the pandemic were intended to decrease or eliminate delays and prioritize paying claims as soon as possible. Several of IDES’ defenses against fraud could not handle the exponential increase in claims. Claimants were unable to register for claims since they were required to pass these cross-matches in order to file. Beginning in March 2020, IDES suspended some routine identity cross-matches performed on all regular UI claims filed because the cross-matches required time to run and constricted the processing system severely. These cross-matches were temporarily suspended and/or processed offline. This allowed IDES to better handle the increase in claims processing traffic; however, this left the unemployment programs more susceptible to fraud.
• Timely payment of benefits and preventing fraud are competing concepts. Preventing fraud, especially in new programs with evolving guidance and guidelines, likely would require additional processing time and a possible delay in benefit distribution to claimants. Conversely, paying claims quickly, especially when certain cross-matches and controls were suspended, increased IDES’ risk of making improper payments.
• IDES made large payments of backdated benefits while controls were suspended which could have contributed to large overpayments and losses due to fraud and identity theft. Claims were sometimes filed and paid within a matter of days and then fraudulent activity was subsequently detected. Auditors found 158,054 PUA claimants that received a single payment of $10,000 or more (totaling more than $2.3 billion in benefits) within 30 days or less of the date of application. It is important to note that while these are not necessarily fraudulent payments, given the increased risk of identity theft and the size of these payments, it would be a good practice to take additional measures to ensure that these payments are issued to eligible claimants.
• IDES data shows payments were made to deceased individuals and incarcerated individuals. The data showed, for both regular UI and PUA combined, a total of 481 deceased individuals received 10,527 payments totaling $6.0 million. In addition, 3,448 incarcerated individuals received 92,811 payments totaling $40.5 million. Testing these cases showed that some overpayments had already been identified as fraud. However, some of the overpayment figures excluded payments made before January 2021 and therefore understated the overpayment.
• The addition of new federal laws and unemployment programs in response to the pandemic resulted in additional program complexity and constantly changing guidance. The US Department of Labor (DOL) issued official guidance referred to as Unemployment Insurance Program Letters (UIPLs). Auditors reviewed 72 UIPLs related to the audit determinations. In addition, the individual UIPLs were constantly being updated and changed. For example, UIPL 16-20 was first issued April 5, 2020; however, there were 6 subsequent changes issued from April 27, 2020, to September 3, 2021.
• While the pandemic created an unprecedented increase in unemployment claims, and likely levels that could not have been anticipated, the concept of planning for massive economic downturns remains the same. There was a lack of planning prior to the pandemic that contributed to the delays experienced by unemployment claimants:
– IDES was not prepared to quickly increase staffing, which created delays in answering phone calls and processing claims. Staffing issues were compounded by retirements and staff being forced to work from home due to the pandemic.
– PUA benefits could not be processed until a new PUA payment system was in place.
– IDES’ website and the IBIS system crashed due to overload.
– Claimants with missing or hijacked payments experienced substantial delays in getting their payments reissued due to an inadequate procedure for processing and handling payment tracer forms, especially in times of high demand. Auditors found that it took IDES, on average, 198 days to reissue hijacked regular UI payments and 445 days for hijacked PUA payments.
• Auditors tested 50 regular UI claims and 50 PUA claims and noted the following about timeliness of application processing:
– On average, the 50 IBIS claims sampled took 14 days from the application date to the date the finding was sent to the applicant. For approved claims that received at least one payment, it took approximately 16 days from the date of application to the date the first payment was made.
– On average, the 50 PUA claims sampled took
38 days from the application date to the date the finding was sent to the applicant. For the 25 claims in our sample that received at least one payment, it took approximately 15 days from the application date to the date the first payment was made.
• The Department entered into eight contracts including 29 amendments during the audit period for services and software related to administering the unemployment insurance and PUA programs. Pursuant to a Disaster Proclamation issued by the Governor, these contracts were exempt from bidding and the provisions of the Illinois Procurement Code. The eight contracts initially totaled $33.5 million. However, with subsequent amendments, the eight contracts eventually totaled $226.4 million, $160.5 million of which had been expended through January 2023. Nine of the 29 amendments were signed by IDES between 2 days and 45 days after the effective date of the amendment.
• The US Department of Labor (DOL) introduced additional cross-matches to combat fraud in October 2021 and February 2022 that IDES is not yet utilizing (Prisoner Update Processing System and Bank Account Verification service respectively).
• The issues experienced at IDES were not unique to Illinois. A Pandemic Response Accountability Committee (PRAC) report released in December 2021 noted states experienced significant challenges in effectively providing their states with unemployment benefits. The report noted four common insights from unemployment insurance findings identified across 16 State Auditor Offices (including Illinois):
– unemployment insurance workloads surged for states;
– the claims surge exploited internal control weaknesses;
– uncommon and varying fraud schemes began to occur as the amount of federal funding expanded; and
– State Workforce Agencies experienced information technology system challenges.
The audit report contained seven recommendations directed to the Illinois Department of Employment Security. The Department agreed with the recommendations.
REGIONAL OFFICES OF EDUCATION AUDITS
In addition to other duties, the Auditor General has the responsibility for annual audits of the financial statements of the regional superintendent of schools of each educational service region in the State.
There were a total of 38 Fiscal Year 2022 audits the Performance Audit Division had the responsibility for: 35 of Regional Offices of Education (ROEs) and 3 of Intermediate Service Centers (ISCs). Our Office arranged for auditing firms to perform these audits under the general direction and management of the Auditor General’s audit managers.
The FY22 ROE audits released in 2023 contained a total of 17 recommendations for improvement. Most of the recommendations dealt with the ROEs not having sufficient internal controls including controls over their financial reporting processes.
PERFORMANCE AUDITS IN PROGRESS
STATE’S BOARDS AND COMMISSIONS
On April 4, 2022, the Illinois House of Representatives adopted House Resolution 677, which directed the Office of the Auditor General to conduct a management audit of the State’s boards and commissions. The audit was to specifically include, but not be limited to, the following for every known State board and commission:
1. Its name and purpose;
2. The number of appointed members and the number of vacancies and the length of the vacancies;
3. Costs of member stipends, salaries, and per diems and expense reimbursements to members and State officials and employees for attending board and commission meetings during Fiscal Years 2021 and 2022;
4. The date of each of the board's or commission's meetings during Fiscal Years 2021 and 2022 and the number of members in attendance and the number of members absent; and
5. Identification of any report or work product prepared and made available by the board or commission during Fiscal Years 2021 and 2022.
IDOT’S DISADVANTAGED BUSINESS ENTERPRISE (DBE) CERTIFICATION PROGRAM
On September 1, 2021, the Legislative Audit Commission adopted Resolution Number 160, which directed the Office of the Auditor General to conduct a performance audit of the Illinois Department of Transportation's certification of businesses as DBEs (Disadvantaged Business Enterprise) through the Illinois Unified Certification Program (IL UCP). The audit was to specifically include, but not be limited to, the following determinations:
1. Whether certification and recertification procedures are adequate to assure that businesses certified by IDOT in the IL UCP are legitimately classified as businesses owned and controlled by minorities, females, or persons with disabilities;
2. Whether the established procedures and processes that govern certification of businesses owned and controlled by minorities, females, or persons with disabilities are being followed;
3. Whether staff responsible for certification of these businesses have received adequate training;
4. What steps are followed to verify information provided by businesses certified by IDOT in the IL UCP, such as review of pertinent documentation, interviews, and on-site visits;
5. Whether the certifications are periodically reviewed to ensure that businesses in the program continue to be qualified for participation;
6. Whether procedures for enforcing compliance with federal regulations, including contract termination and contractor suspension, are adequate and uniformly enforced; and
7. Whether recent DBE goals established by IDOT have been met.
DHS OVERSIGHT AND MONITORING OF THE CILA PROGRAM
On March 14, 2023, the Legislative Audit Commission adopted Resolution Number 164, which directed the Office of the Auditor General to conduct a performance audit of the Department of Human Services’ oversight and monitoring of the Community Integrated Living Arrangement (CILA) program. The audit was to specifically include, but not be limited to, the following determinations:
1. An examination of the process for licensing developmental services agencies and certifying CILAs for persons with developmental disabilities;
2. An examination of whether oversight and monitoring of licensed CILA providers complies with statutory and regulatory requirements, including site visits, and inspections of records and premises; and
3. An examination of whether the DHS notification process for emergency calls complies with applicable laws, rules, and procedures.
DHS OVERSIGHT OF THE INDEPENDENT SERVICE COORDINATION PROGRAM
On May 15, 2023, the Illinois House of Representatives adopted House Resolution Number 66, which directed the Office of the Auditor General to conduct a performance audit of the oversight of the Independent Service Coordination (ISC) program by the Department of Human Services' Division of Developmental Disabilities. The audit was to specifically include, but not be limited to, the following determinations:
1. An examination of the caseloads, by ISC, around the State to determine whether ISCs are providing coverage based on agreements with the State,
2. An examination of whether ISCs maintain documentation and report allegations of suspected abuse, neglect, and financial exploitation to the appropriate oversight entity, and
3. An examination of the oversight and monitoring of ISCs by DHS ensuring that the ISC complies with statutory, regulatory, and contract requirements, including site visits and inspections of records and premises.
DHS OFFICE OF THE INSPECTOR GENERAL
The Department of Human Services Act directs the Auditor General to conduct a program audit of the Department of Human Services, Office of the Inspector General on an as needed basis. (20 ILCS 1305/1-17(w)) The Act specifically requires the audit to include the Inspector General’s compliance with the Act and effectiveness in investigating reports of allegations occurring in any facility or agency.
This will be the 14th audit the Auditor General has conducted of the OIG since 1990. The most recent audit was released in January 2021.
HFS MEDICAID SERVICES FOR UNDOCUMENTED IMMIGRANTS
On November 7, 2023, the Legislative Audit Commission adopted Resolution Number 165, which directed the Office of the Auditor General to conduct a performance audit of the Department of Healthcare and Family Services’ (HFS) administration of the program of Medicaid services and coverage provided to undocumented immigrants. The audit was to specifically include, but not be limited to, the following determinations:
1. A review of HFS’ initial program enrollment and cost estimates for fiscal years 2021, 2022, and 2023 for Medicaid services for undocumented immigrants;
2. A review of the actual program enrollment numbers and amount of money expended for fiscal years 2021, 2022, and 2023 for Medicaid services for undocumented immigrants;
3. The cost for each level of expansion of Medicaid services for undocumented immigrants for fiscal years 2021, 2022, and 2023;
4. The cost by category of service for Medicaid services for undocumented immigrants for fiscal years 2021, 2022, and 2023; and
5. An examination of inpatient reimbursement through fee-for-service payments for undocumented immigrants using enhanced rates.
REGIONAL OFFICES OF EDUCATION
Since 2002, the School Code (105 ILCS 5/2-3.17a) has required the Auditor General’s Office to conduct annual audits of the financial statements of all accounts, funds, and other moneys in the care, custody, or control of the regional superintendent of schools of each educational service region in the State. For Fiscal Year 2023, a total of 38 audits are to be performed.
OAG FRAUD HOTLINE
The Auditor General’s Office is required by law [30 ILCS 5/2-15, added by P.A. 97-261, effective August 5, 2011] to operate a toll-free fraud hotline for the public to report allegations of fraud in the executive branch of State government. The hotline went into operation at the beginning of January 2012.
The toll free number is 1-855-217-1895. The hotline is available 24 hours a day, 7 days a week. Live operators are generally available Monday-Friday from 8:00 a.m. to 4:00 p.m. (CST).
In addition to calling the toll-free number, other options have been established for the public to report allegations of fraud. The public may also:
• Complete the Fraud Reporting Form on-line located on the OAG web-site (www.auditor.illinois.gov);
• E-mail a description of the allegation to: Hotline@auditor.illinois.gov;
• Contact the Auditor General via telecommunications device for the disabled (TTY) at 1-888-261-2887; or
• Send a written report via the U.S. Postal Service to the following address:
Fraud Hotline, Auditor General’s Office, 740 E. Ash St., Springfield, IL 62703.
Individuals reporting alleged fraud to the hotline may remain anonymous. However, if the individual chooses not to be identified, the Office’s ability to follow up on the allegation may be limited.
More information regarding the reporting of fraud allegations can be found at the Fraud Hotline section of the OAG website. Jurisdiction of the Fraud Hotline does not include the legislative or judicial branches of government, nor units of local government. Other resources the public may use to report fraud if it is outside of the jurisdiction of the OAG can also be found on the website. Even if the Auditor General’s Office does not have jurisdiction over the allegation, our hotline manager will try to direct the caller to another State, federal, or local agency that may be able to help.
The Information Systems Audit Program
Computers are an integral part of State government, processing billions of dollars in financial transactions each year and helping control the operations of State agencies. Since financial transactions and confidential information are processed using computers, audits of information system activities are necessary to ensure that computer processing is secure and accurate.
TESTING CONTROLS AND SYSTEMS
The Auditor General’s Office plans to continue to emphasize the review of information system controls at State agencies. We performed information system reviews at the following agencies:
Department on Aging, Office of Attorney General, Capital Development Board, Chicago State University, Department of Commerce and Economic Opportunity, Office of Comptroller, Department of Employment Security, Environmental Protection Agency, Department of Financial and Professional Regulation, Illinois Gaming Board, Housing Development Authority, Department of Human Services, Department of Innovation and Technology, Department of Insurance, Department of Natural Resources, Northern Illinois University, Illinois Racing Board, Department of Revenue, Southern Illinois University, Illinois State Police, Illinois State Toll Highway Authority, Illinois Student Assistance Commission, Department of Transportation, University of Illinois, and Department of Veterans’ Affairs.
To enhance the control environment, the Auditor General has emphasized the review of cybersecurity, networks, access rights, and the security and control of confidential information. These reviews have focused on the necessity of establishing consistent and effective security policies and programs, performing comprehensive risk assessments, and implementing comprehensive security techniques on all
ISA FINDINGS
Computers are an integral part of State government, processing billions of dollars in financial transactions each year and helping control the operations of State agencies. Since financial transactions and confidential information are processed using computers, audits of information system activities are necessary to ensure that computer processing is secure and accurate.
TESTING CONTROLS AND SYSTEMS
The Auditor General’s Office plans to continue to emphasize the review of information system controls at State agencies. We performed information system reviews at the following agencies:
Department on Aging, Office of Attorney General, Capital Development Board,
Chicago State University, Department of Commerce and Economic Opportunity, Office of Comptroller, Department of Employment Security, Environmental Protection Agency, Department of Financial and Professional Regulation, Illinois Gaming Board, Housing Development Authority, Department of Human Services, Department of Innovation and Technology, Department of Insurance, Department of Natural Resources, Northern Illinois University, Illinois Racing Board, Department of Revenue, Southern Illinois University, Illinois State Police, Illinois State Toll Highway Authority, Illinois Student Assistance Commission, Department of Transportation, University of Illinois, and Department of Veterans’ Affairs.
To enhance the control environment, the Auditor General has emphasized the review of cybersecurity, networks, access rights, and the security and control of confidential information. These reviews have focused on the necessity of establishing consistent and effective security policies and programs, performing comprehensive risk assessments, and implementing comprehensive security techniques on all computer systems.
Eighteen agencies — Chicago State University, Office of Comptroller, Department of Corrections, Eastern
Illinois University, Department of Employment Security, Governors State University, Department of Healthcare and Family Services, Department of Human Services, Illinois State University, Department of Innovation and Technology, Department of Juvenile Justice, Illinois Law Enforcement Training Board, Department of Natural Resources, Northeastern Illinois University, Illinois State Board of Education, Illinois State Police, Southern Illinois University, and University of Illinois — had not established adequate controls for securing their computer resources. We recommended that these agencies evaluate their computer environments and ensure adequate security controls and policies exist to safeguard computer resources.
Five agencies — Governors State University, Department of Natural Resources, Illinois State Police, Southern Illinois University and Western Illinois University — had not completed all requirements to demonstrate full compliance with the Payment Card Industry Data Security Standards. We recommended that these agencies at least annually assess each program accepting credit card payments, review and validate its environment, and ensure agreements with service providers are current and maintained.
Sixteen agencies — Department on Aging, Capital Development Board, Department of Central Management Services, Chicago State University, Department of Commerce and Economic Opportunity, Illinois State Board of Education, Environmental Protection Agency, Department of Financial and Professional Regulation, State Fire Marshal, Illinois Gaming Board, Department of Insurance, Department of Natural Resources, Illinois Racing Board, Southern Illinois University, Illinois State Police, and Department of Veterans’ Affairs —had not implemented an effective change management processes to ensure changes to computer applications were properly approved, tested, and documented. We recommended that these agencies develop and implement change management standards to ensure adequate oversight of all changes to computer applications.
Fourteen agencies — Department on Aging, Office of Attorney General, Capital Development Board, Department of Children and Family Services, Department of Commerce and Economic Opportunity, Illinois State Board of Education, Department of Financial and Professional Regulation, State Fire Marshal, Department of Innovation and Technology, Northern Illinois University, Illinois Racing Board, Department of Revenue, Southern Illinois University, and Illinois State Toll Highway Authority — had not developed or implemented access provisioning policies to ensure access rights to computer systems were properly controlled. We recommended that these agencies develop and implement access provisioning policies to ensure access rights are approved, disabled timely, and periodically reviewed.
Thirty-two agencies — Office of State Appellate Defender, Office of the State’s Attorney
Appellate Prosecutor, Office of Attorney General, Chicago State University, Department of Children and Family Services, Department of Commerce and Economic Opportunity, Office of the Comptroller, Illinois Conservation Foundation, Department of Corrections, Eastern Illinois University, Illinois State Board of Education, Department of Employment Security, Department of Financial and Professional Regulation, Illinois Gaming Board, Governors State University, Department of Healthcare and Family Services, Illinois Housing Development Authority, Department of Innovation and Technology, Department of Insurance, Department of Juvenile Justice, Department of Lottery, Department of Natural Resources, Northeastern Illinois University, Northern Illinois University, Illinois Racing Board, Department of Revenue, Southern Illinois University, Illinois State Police, Illinois Student Assistance Commission, University of Illinois, Department of Veterans’ Affairs, and Western Illinois University — did not perform and document internal control reviews of all external data processing related service providers. We recommended that these agencies obtain or perform independent reviews of internal controls associated with service providers at least annually.
Twenty-two agencies — Department on Aging, Capital Development Board, Chicago State University, Department of Children and Family Services, Office of Comptroller, Department of Corrections, Environmental Protection Agency, Department of Healthcare and Family Services, Department of Financial and Professional Regulation, State Fire Marshal, Illinois State University, Department of Innovation and Technology, Illinois Gaming Board, Illinois Mathematics and Science Academy, Department of Natural Resources, Northeastern Illinois University, Northern Illinois University, Department of Revenue, Illinois Racing Board, Illinois State Police, Southern Illinois University, and Department of Veterans’ Affairs — had not adequately developed or tested recovery plans to provide for continuation of critical computer operations in the event of a disaster. We recommended that these agencies develop and test disaster contingency plans.
Cybersecurity Audits
Public Act 100-914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of January 1, 2019.
Sec. 3-2.4. Cybersecurity audit.
(a) In conjunction with its annual compliance examination program, the Auditor General shall review State agencies and their cybersecurity programs and practices, with a particular focus on agencies holding large volumes of personal information.
(b) The review required under this Section shall, at a minimum, assess the following:
(1) the effectiveness of State agency cybersecurity practices;
(2) the risks or vulnerabilities of the cybersecurity systems used by State agencies;
(3) the types of information that are most susceptible to attack;
(4) ways to improve cybersecurity and eliminate vulnerabilities to State cybersecurity systems; and
(5) any other information concerning the cybersecurity of State agencies that the Auditor General deems necessary and proper.
(c) Any findings resulting from the testing conducted under this section shall be included within the applicable State agency’s compliance examination report… .
To address the amendment on the compliance examinations, we did the following:
• Updated the Compliance Audit Guide to include specific questions concerning cybersecurity practices, policies and procedures, training, roles and responsibilities, risk assessments, and data classifications. In addition, we provided guidance to assist audit staff and contractors in obtaining and reviewing documentation to support responses.
• Performed detailed testing at 25 agencies as part of the June 30, 2022 compliance examinations. We provided these agencies with detailed information regarding our analysis and, if appropriate, we developed findings.
As a result of our process for June 30, 2022 examinations, we identified significant weaknesses at 34 agencies: Department on Aging, Office of State Appellate Defender, Office of Attorney General, Capital Development Board, Chicago State University, Department of Children and Family Services, Department of Commerce and Economic Opportunity, Office of Comptroller, Department of Corrections, Eastern Illinois University, Illinois State Board of Education, Illinois Environmental Protection Agency, Department of Financial and Professional Regulation, State Fire Marshal, Illinois Gaming Board, Governors State University, Illinois Housing Development Authority, Illinois State University, Department of Innovation and Technology, Department of Insurance, Illinois Mathematics and Science Academy, Department of Military Affairs, Department of Natural Resources, Northeastern Illinois University, Northern Illinois University, Illinois Racing Board, Department of Revenue, Southern Illinois University, Illinois State Police, Illinois State Toll Highway Authority, Illinois Student Assistance Commission, University of Illinois, Department of Veterans’ Affairs, and Western Illinois University.
To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they:
• Establish and document cybersecurity roles and responsibilities.
• Establish and communicate policies, procedures and processes to manage and monitor the regulatory, legal, environmental and operational requirements.
• Perform a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.
• Classify data to establish the types of information most susceptible to attack to ensure adequate protection.
• Ensure all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.
• Evaluate and implement appropriate controls to reduce risk of attack.
We will continue to review cybersecurity programs and practices in our June 30, 2023 compliance examinations.
Agency officials generally concurred with our recommendations concerning these issues.
The information systems audit staff also reviewed and tested the systems and procedures at the Department of Innovation and Technology. We released three System and Organization Control (SOC) Reports regarding the Department’s control environment.
Information Technology Hosting Services
The Department provides Information Technology Hosting Services for State agencies.
This SOC Report contained an adverse opinion as a result of:
• The controls related to the trust services criteria stated in the “Description of the State of Illinois, Information Technology Hosting Services” were not suitably designed to provide reasonable assurance the trust services criteria would be achieved.
• The controls related to the trust services criteria stated in the “Description of the State of Illinois, Information Technology Hosting Services” did not operate effectively.
Information Technology Shared Services
The Department provides Information Technology Hosting Services for State agencies.
This SOC Report contained an adverse opinion as a result of:
• The controls related to the control objectives stated in the “Description of the Information Technology Shared Services System for the Information Technology General Controls and Application Controls” were not suitably designed to provide reasonable assurance the control objectives would be achieved, and the controls did not operate effectively.
State of Illinois, Enterprise Resource Planning System
The Enterprise Resource Planning System is utilized by State agencies.
This SOC Report contained a qualified opinion as a result of:
• The controls related to the control objectives
stated in the “Description of the State of Illinois, Enterprise Resource Planning System for the IT General Controls and Application Controls” were not suitably designed or did not operate effectively to provide reasonable assurance the control objectives would be achieved.
As a result of the modified opinions, auditors of these agencies will likely modify the agency-level risk assessments to accommodate the additional risk to agencies and perform additional procedures to properly address these risks.
Department officials accepted the recommendations in the SOC reports.
Other Office Responsibilities
ANNUAL AUDIT ADVISORY
Every year, the Auditor General’s Office distributes an Illinois Audit Advisory to all State agencies for the purpose of sharing information that may make their operations more efficient and effective, and increase compliance with State law. Copies of this audit advisory are available on our website at: www.auditor.illinois.gov.
Comptroller’s Accounting System Review
The Auditor General is required by law to annually review the Comptroller’s Statewide accounting system. This review is accomplished through the Office’s audit of the State Comptroller, and by ensuring that all agency audits are performed in accordance with the Auditor General’s Audit Guide.
In addition, the Auditor General annually reviews the State Comptroller’s pre-audit function. Pre-audit is the primary control over expenditure voucher processing. The State Comptroller pre-audits financial transactions to determine if they are proper and legal.
PEER REVIEW
Peer review is an external quality control review conducted every three years by audit professionals from across the United States who are selected by the National State Auditors Association. The peer review helps to ensure that our procedures meet all required professional standards, comply with Government Auditing Standards, and produce reliable products for the agencies we audit.
The September 2023 peer review of the Auditor General’s audit processes resulted in an unmodified (clean) opinion. Our prior peer reviews, conducted in 1996, 1999 and 2002, 2005, 2008, 2011, 2014, 2017 and 2020 likewise resulted in unmodified opinions. Our next peer review is slated for 2026.
STATE ACTUARY
Public Act 97-694, effective June 18, 2012, directed the Auditor General to “contract with or hire an actuary to serve as the State Actuary.” Among its duties, the State Actuary is required to “review assumptions and valuations prepared by actuaries retained by the boards of trustees of the State-funded retirement systems” and “issue preliminary reports...concerning proposed certifications of required State contributions submitted to the State Actuary by those boards.” [30 ILCS 5/2-8.1 (a) and (b)] In addition, Public Act 100-465, effective August 31, 2017, added a similar requirement for the State Actuary to review the Public School Teachers’ Pension and Retirement Fund of Chicago.
[40 ILCS 5/17-127(e)] Through a competitive proposal process, the Auditor General awarded a contract in August 2012 to Cheiron, a full-service actuarial and consulting firm.
Cheiron issued its preliminary reports to the public retirement systems on December 1, 2023. As required by statute, the Auditor General submitted a written report to the General Assembly and Governor on December 21, 2023, documenting the initial assumptions and valuations prepared by the actuaries retained by the boards of trustees of the State-funded retirement systems, the State Actuary’s preliminary reports, and the responses of each board to the State Actuary’s recommendations.
The report is available in its entirety on our website at www.auditor.illinois.gov.
Continuing Professional Education and Training Requirements
The U.S. Government Accountability Office established Government Auditing Standards (the Yellow Book) for performing high-quality audit work with competence, integrity, objectivity, and independence to provide accountability and to help improve government operations and services.
The Yellow Book standard relating to competence specifies that management must assign auditors to conduct the engagement who collectively possess the competence needed to address the engagement objectives and perform their work in accordance with Generally Accepted Government Auditing Standards (GAGAS).
Auditors who plan, direct, perform engagement procedures for, or report on an engagement conducted in accordance with GAGAS should develop and maintain their professional competence by completing at least 80 hours of continuing professional education (CPE) every 2 years.
A minimum 24 hours of that CPE should be directly related to the government environment, government auditing, or the specific or unique environment in which the audited entity operates. The remaining 56
CPE hours should be in subject matter that directly enhances auditors’ professional expertise to conduct engagements. Auditors should complete at least 20 hours of CPE in each year of the 2-year period. Auditors hired or assigned to a GAGAS engagement after the beginning of the 2-year CPE period may complete a prorated number of CPE hours. Also, auditors who charge less than 20 percent of their time annually to engagements conducted in accordance with GAGAS and are not involved in planning, directing, or reporting on the engagement need only complete the 24-hour requirement.
The most recently completed 2-year period for CPE requirements as measured by the Office of the Auditor General was January 1, 2021, through December 31, 2022. All auditors, audit directors, and information specialists required to meet the CPE standards were in compliance for this 2-year period and are in compliance with current CPE requirements.
Additionally, the Office of the Auditor General is a registered sponsor with the Illinois Department of Financial and Professional Regulation, and complies with the rules of the Illinois Public Accounting Act.
CLAIMS DUE THE STATE AND METHODS OF COLLECTION
As required by law [30 ILCS 205/2 (k)], the Office of the Auditor General is reporting that there were no outstanding claims administered by the Office that were due and payable to the State as of December 31, 2023. The accounts receivables generated by our Office primarily represent billings to other State agencies for reimbursement of audit costs. Reimbursements for federal single audits are deposited into the General Revenue Fund. Reimbursements for audits not associated with federal single audits are deposited or transferred to the Audit Expense Fund. If normal collection methods fail, we request assistance from the Office of the Attorney General. To date we have never used the services of a private collection agency.
SUMMARY OF APPROPRIATIONS AND EXPENDITURES
The Office of the Auditor General was funded by appropriations from the General Revenue Fund and Audit Expense Fund for Fiscal Year 2023 (July 1, 2022 to August 31, 2023, including lapse period).
FY 2023 - FINAL
(Appropriation; Expended; Balance)
GRF
Operations:
GRF
Operations:
Personal Services $7,225,000 $6,152,710 $1,072,290
Social Security $575,000 $446,016 $128,984
GRF Operations Total $7,800,000 $6,598,726 $1,201,274
Audit Expense Fund:
Audits/Studies/Investigations $32,959,154 $28,846,567 $4,112,587