Volume 17, 2011 Annual
William G. Holland, Auditor General
Auditor General’s Message
In 2011, my Office completed a comprehensive audit of the State’s financial reporting system. Many of you reading this Advisory provided information to my auditors during the conduct of this audit.
The audit’s major conclusions, which are highlighted in this
Audit Advisory, were that many of the systems used by State agencies are archaic,
are costly to operate, and are not interrelated to each other. It is my hope that this audit will serve as a
starting point for systemic improvements in the State’s financial reporting
The Advisory examines the need for agencies to conduct a risk assessment of their controls over confidential information, such as social security numbers and protected health information. Also, the Advisory discusses the need for agencies to rigorously carry out the annual statutorily required FCIAA reviews, which would lead to more timely identification of control deficiencies and reduce future audit findings.
WILLIAM G. HOLLAND
THE STATE’S FINANCIAL REPORTING SYSTEM
The State’s financial reporting “system” is comprised of over 260 individual financial systems, many of which are not interrelated, are antiquated, and are costly to operate. This was the conclusion reached in the Auditor General’s management audit of the State’s Financial Reporting System, released in February 2011.
The report also concluded that the lack of a centralized financial reporting system has considerable negative consequences, including untimely financial reporting of the true financial position of the State. The lack of timely financial reporting limits effective oversight of State finances, adversely affects the State’s bond rating, and jeopardizes federal funding. See inset for more detailed findings on the financial systems.
In addition to the lack of a centralized GAAP compliant financial reporting system, the report concluded that other factors have an adverse impact on the timeliness and accuracy of financial reporting:
• The Comptroller’s Office is responsible for financial reporting but does not have authority over the agencies from which it collects information. Furthermore, there is no penalty if the agencies do not cooperate with the Comptroller. The Comptroller’s Office and the Governor’s Office should work together to establish financial reporting target completion dates and ensure that such dates are met.
• The State of Illinois has a complex fund structure that utilized an estimated 900 funds in fiscal year 2009. A complex fund structure increases the level of effort necessary to account for and report transactions and increases the risk of errors and omissions.
• Many State agencies have a lack of competent trained staff in the area of financial reporting and reported that the personnel system impedes their ability to hire qualified staff. (See inset on the right for financial reporting resources that may be helpful to financial reporting staff in carrying out their responsibilities.)
The audit report can be found on the Auditor General’s web-site at: www.auditor.illinois.gov.
Specific Management Audit Findings on the State’s Financial Reporting System
• Agencies reported using 263 different financial reporting systems.
• Agencies reported that only 16 percent of the systems are compliant with Generally Accepted Accounting Principles (GAAP).
• Half of the financial reporting systems in use at State agencies are more than 10 years old.
• Fifty-three percent of the financial reporting systems are not interrelated, which consequently requires manual intervention to convert data from one system so it can be used in another.
• The total estimated cost of maintaining the systems in fiscal year 2010 was not determinable. Agencies provided cost estimates totaling $24 million, which covered only 56 percent of the systems.
PROTECTING PERSONAL INFORMATION
Requirements to protect personal information are outlined in laws such as the Personal Information Protection Act (815 ILCS 530), Identity Protection Act (5 ILCS 179), and the federal Health Insurance Portability and Accountability Act (HIPAA). The Auditor General’s audits have consistently identified weaknesses in the implementation of controls to protect confidential information at State agencies. Examples of poor practices include:
• Sending unencrypted confidential information, such as Social Security Numbers or Protected Health Information (PHI), over the Internet.
• Transporting confidential information on laptops or storage devices without utilizing encryption.
• Improper storage
or disposal of documents containing
The Auditor General’s Office has been recommending that agencies perform a comprehensive risk assessment to identify all forms of confidential or personal information and ensure adequate security controls, including adequate physical and logical access restrictions, have been established to safeguard data and resources.
The first step in protecting confidential information is to identify where it currently exists, and then to review existing control procedures. In response to a recent finding regarding the protection of confidential information, a State agency outlined the results of a risk assessment. The agency embarked on a risk assessment of computers with the intent of reducing the likelihood of sensitive data leakage by eliminating or protecting sensitive data. The assessment discovered and eliminated over 4.1 million social security numbers and over 63,000 credit card numbers from agency computers.
As outlined above, the results of the risk assessment clearly demonstrate the value of performing the exercise. We will continue to recommend that all State agencies perform their own risk assessments.
HELPFUL FINANCIAL REPORTING RESOURCES
Below are links to some resources that contain useful information regarding technical financial reporting issues, as well as general financial reporting information. Some non-government sources may charge a fee for certain items.
Governmental Accounting Standards Board (www.gasb.org). Contains information that specifically impacts governmental accounting, including:
• GASB pronouncements,
• Implementation guides: provide guidance on how to implement various GASB pronouncements,
• Exposure drafts, and
• Research and other
American Institute of CPAs (www.aicpa.org). Contains extensive guidance and information on accounting and financial reporting topics. Examples of materials on the AICPA web-site are:
• Audit and accounting guides,
• Audit risk alerts,
• Checklists and illustrative financial statements,
• Financial reporting alerts, and
• Practice aids.
Government Accountability Office (www.gao.gov). Contains documents such as:
• Government auditing standards (Yellow Book),
• Professional standards updates, and
• Internal control management and evaluation tool.
Office of the Comptroller (www.ioc.state.il.us). Contains documents such as:
• SAMS manual,
• Supplement to SAMS Manual Procedure 2, Internal Control Review Checklist,
• SAMS bulletins,
• Accounting bulletins, and
• Payroll bulletins.
Office of the Auditor General (www.auditor.illinois.gov). Contains documents such as:
• All audit reports, and
• Quarterly summary of emergency purchases.
HIGH RISK AREAS
examinations identify certain aspects of State government that expose the State
to an unacceptable level of risk. Since
2007, we have been highlighting these high risk areas in the Audit
Advisory. The four high risk areas
highlighted in this issue of the Audit Advisory include the following:
1) Contracting Processes; 2) Subrecipient Monitoring; 3) Untimely Financial Reporting; and 4) Fraud and Abuse.
1. CONTRACTING PROCESSES
The contracting process poses significant risks for State agencies and is susceptible to fraud and abuse. There are a myriad of ways the contracting process can be manipulated or abused. Consequently, an agency’s system of internal controls related to contracting needs to be strong, monitored, and enforced.
Contracting deficiencies have been routine findings in OAG audits. Examples of contracting deficiencies included: lack of documentation in the procurement file; allowing vendors to begin work without a formal written agreement in place; errors in scoring proposals; and contracts lacking all required certifications.
New laws effective July 1, 2010, significantly impacted the procurement organization, purchasing process and vendor requirements. Our examinations for the period ended June 30, 2011, will include reviews of procurements made under the new requirements.
2. SUBRECIPIENT MONITORING
State agencies’ failure to adequately monitor sub-recipients has been a central finding in the State’s Single Audit for years. The FY 2009 Single Audit included 25 findings and the FY 2010 Single Audit had 19 findings related to agencies’ deficiencies in monitoring subrecipients. Agencies covered by the Statewide Single Audit expended $29.3 billion in federal funding in FY 2010, of which $5.6 billion was passed through to subrecipients.
It is not sufficient for agencies to simply pass funding on to third parties. Rather, a system must be established to monitor how those funds are being spent and ensure these monies are being spent for the specified purpose. Subrecipient monitoring includes many aspects, such as reviewing and receiving grant or audit reports, as well as some level of on-site reviews or inspections.
3. UNTIMELY FINANCIAL REPORTING
As reported in our February 2011 management audit of the State’s Financial Reporting System discussed on page 1, untimely financial reporting poses significant risks to the State of Illinois. These risks occur in several critical key areas.
First, if reporting on the State’s financial position is delayed, State decision-makers lack critical information necessary to manage the operations of the State. In times of funding shortfalls as currently being experienced by the State, the need for timely and accurate financial information is even more important.
Second, the federal government is in the process of imposing new, more restrictive time requirements on states’ financial reporting and auditing. If the State’s financial reporting continues to be delayed, the risk increases that federal funding to the State may be delayed or withheld.
Finally, untimely financial information may have an adverse impact if public users are not getting needed information. For example, bond rating agencies use information in the State’s financial reports as part of their assessment of the overall risk and bond rating for the State. If needed financial information is unavailable, it may have an adverse, and costly, impact on the State’s bond rating and related borrowing costs.
Financial reporting delays and errors result in several significant effects, including increased audit testing, delays in the completion of audits, and delays in the preparation of the Comptroller’s Comprehensive Annual Financial Report (CAFR), as well as the Statewide Single Audit.
4. FRAUD AND ABUSE
Each State agency needs to have a fraud detection program. Recent audits have identified several instances where, due to a lack of adequate internal controls and oversight, public funds have been used for undocumented or improper purposes.
Agency managers have the responsibility to conduct internal vulnerability assessments of their operations to identify areas where misappropriation of State assets could occur. Once those areas are identified, then the controls need to be periodically reviewed and tested to ensure that they are properly designed and working.
The Fiscal Control and Internal Auditing Act (FCIAA), enacted in 1989, requires State agencies to establish, maintain, and annually evaluate their internal control systems. Agency internal control systems must reasonably assure compliance with applicable law and effective agency management. By May 1 of each year, each agency is required to certify to the Auditor General on its system of internal fiscal and administrative controls and its compliance with the FCIAA guidelines.
While the annual assessment should be an important tool for management to identify internal control weaknesses and take immediate corrective action, many agencies do not appear to be effectively completing the FCIAA process. There are instances where the FCIAA certifications agencies filed with the Auditor General’s Office show few, if any, weaknesses. Yet, when the OAG audits the agency, weaknesses ininternal controls are identified and agency management agrees with the auditors that such deficiencies exist. If agency management would more rigorously conduct their annual FCIAA review, not only would weak agency controls be strengthened in a timely fashion, the number of OAG audit findings may be reduced. The Comptroller’s SAMS Manual (Procedure 02) contains guidance on the FCIAA process, as well as the Supplement to SAMS Manual Procedure 2, Internal Control Review Checklist (see box below).
COMPTROLLER’S SUGGESTED INTERNAL CONTROL REVIEW CHECKLIST
An internal control review checklist has been prepared to aid Illinois State agencies in conducting reviews of their systems of internal fiscal and administrative controls. The checklist is based, in part, on the “Internal Control Criteria Checklist”, “Audit Planning Checklist” and “Checklists for Observation of Auditee’s Management Practices” contained in the State of Illinois Auditor General Audit Guide For Performing Compliance Audits of Illinois State Agencies. Ideas have been drawn from this and other sources, and modified to fit the needs of the Fiscal Control and Internal Auditing Act (FCIAA) internal control review program. The checklist is organized into the following eleven major internal control review categories:
1. Agency Organization and Management
2. Administrative Support Services
3. Budgeting, Accounting and Reporting
4. Purchasing, Contracting and Leasing
5. Expenditure Control
6. Personnel and Payroll
7. Property, Equipment, and Inventories
8. Revenues and Receivables
9. Petty Cash and Local Funds
10. Grant Administration
11. Electronic Data Processing
This SAMS Supplement notes that Illinois State agencies are encouraged to use this checklist as a guide in determining the nature and scope of internal control review work that must be performed to enable the agency Chief Executive Officer to certify to the adequacy of his/her agency’s systems of internal fiscal and administrative control, as required by FCIAA-Section 3003.
Source: Comptroller’s Supplement to SAMS Manual Procedure 2, Internal Control Review Checklist
Office of the Auditor General
Iles Park Plaza, 740 East Ash Street
Springfield, Illinois 62703-3154
Michael A. Bilandic Building,
160 N. LaSalle Street, Suite S-900
Chicago, Illinois 60601-3109