26, 2020 Annual Edition
and Potential Audit Issues
Frank J. Mautino, Auditor General
year has marked historic challenges for state government and the agencies that
serve the good people of Illinois. The worldwide pandemic has left its mark on
all facets of life in our society. The people of Illinois have endured historic
levels of unemployment, dramatic changes to our social structure, and increased
levels of financial, physical, and emotional stress as a direct result of
this time, the agencies of the State of Illinois provided relief, comfort, and
critical services. This they accomplished while working remotely under high-pressure
and constantly evolving work place conditions. They should be commended for
their dedication, ingenuity, and ability to keep state operations running.
purpose of the Illinois Audit Advisory is to share information that may make state
agency operations more efficient, effective, and/or increase compliance with State
law. In this issue we will look at the effects of the pandemic on the audit
process. We will also review crisis management planning, risk identification,
and cyber security. In the coming year, tracking of expenditures of state and
federal dollars to combat COVID-19 will be important in determining,
evaluating, and improving our reaction to this or any future crisis.
always, my Office looks forward to working with you in a cooperative manner
during this audit cycle.
of COVID-19 on the Audit Process
January 30, 2020, the World Health Organization declared a public health
emergency. On March 20, 2020,
Pritzker issued a stay-at-home order that went into effect the next day. This
means any State agencies undergoing a fiscal year 2020 audit will have been affected
by the COVID-19 pandemic during the audit period. Auditing these agencies will
present unique challenges and heightened risk.
the stay-at-home order was issued, agencies shifted from working in an office
to working remotely. Since an agency’s relevant controls may have changed to accommodate
remote working, the risk of a breakdown in internal controls is increased.
Auditors need to be aware of risks and modify audit approaches accordingly.
is important to note that while auditing standards address what evidence needs
to be obtained, the standards don’t dictate how to meet the requirements. Auditors
can work remotely and still meet auditing standards. However, in some cases,
auditors may encounter scope limitations such as performing physical inventory
observations, accessing agency records, and testing internal controls.
following are procedures that can be utilized that allow the audits to proceed while
limiting exposure to both auditors and agency staff:
Holding interviews, including fraud interviews, via video conferencing
Avoiding travel to audit locations except when absolutely necessary;
Conducting video observation of inventories, eligibility case file
documentation, voucher support, etc.;
Considering alternate inventory solutions, such as postponement of inventory
counting to when the environment is more relaxed and possibly performing roll
forward and roll back procedures; and
Providing auditors remote access to IT systems for various detail transactions
the current circumstances, effective communication is more important than ever.
The auditee agency should immediately notify auditors of any issues that will
impact both timeliness and its ability to fully respond to audit requests. The
agency and the auditor should work together to resolve any obstacles. While
delays in responding to audit requests can be expected, the pandemic should not
be used as a justification for not cooperating and needlessly delaying the
a Crisis Management Plan
your agency does not have a crisis management plan in place, now may be a good
time to start the process of developing one while the current crisis is fresh
in our minds. Also, keep in mind during the process that there are a myriad of
types of crises that you may need to plan for such as natural disasters, a
technology crisis, or a personnel crisis. Below are some key steps that will help
guide your agency through the process.
1. Assess your risks and identify types of crises
get started, the first step is a risk assessment, which identifies potential
crises that could disrupt your functions and/or processes. Work with members of
your agency’s leadership and other key stakeholders to begin listing all
relevant threats and vulnerabilities that could have an impact. These might
include cyber-attacks, data breaches, and natural disasters.
Determine the impact on your agency
the potential impact a crisis could have on your agency’s operations. This can
reveal a variety of potential effects, including:
Lost or delayed revenues
Increased expenses (for example, paying for overtime or acquiring materials to address
Identify possible actions
identifying which actions will help your agency respond effectively to each
crisis situation. Think about the steps that would be required to resolve a
given crisis, the resources needed, and how employees assist.
you’ve determined possible actions for each potential crisis, develop the plans
with input from relevant stakeholders including key employees and contractors.
Agency staff can help to provide insight into available resources and potential
hurdles. As you work your way through the plan, keep in mind any relevant regulatory
requirements, and determine how you will continue to meet them, even in the
midst of a crisis. For example, if your organization must remain compliant with
the Health Insurance Portability and Accountability Act of
(HIPAA), be sure to account for this regulation in each crisis scenario.
Familiarize and train employees
should understand their roles during a crisis. Consider ways to quickly and
effectively communicate and distribute your crisis plan including access to
current documents and other needed information. Also, employees and stakeholders
should be regularly trained on your crisis management plan.
Revisit and update the plan
your plan is in place, be sure to revisit it on a regular basis. It is
important to keep the plan up to date, especially as employees join or leave
the organization, new technologies are implemented, and other changes occur
Planning and Fraud Risk Management from an Agency Perspective
COVID-19 pandemic has resulted in unprecedented social and economic upheaval in
the US. In Illinois, many State agencies transitioned to a remote workforce during
most of the final quarter of FY20. Although existing technologies such as video
and teleconferencing services have helped facilitate a new normal, working in this
new environment still poses numerous challenges.
result of this crisis, agencies should have a heightened awareness of the risk for
fraud and misconduct that might occur. During this crisis, agency employees may
have been faced with increased pressure and urgency to respond to requests.
Even though most people behave ethically, agencies and their management should
review their controls, processes, and procedures to assess the risk of fraud during
prevention should not be an afterthought in crisis planning and response; it
should be a starting point. There are several steps agencies can take in order
to effectively manage fraud risk during a crisis. Questions for agency leaders
to consider include:
the agency reinforcing its code of conduct and policies and procedures?
there resources dedicated to monitoring compliance (i.e. a whistleblower
the agency emphasizing a safe environment for employees to speak up?
Are processes still in place to identify red flags and warning signs?
What gatekeeping functions or internal controls might be compromised that may
pose a risk?
What measures are being set in place to boost employee morale and prevent
excerpted from the Center for Audit Quality’s Managing Fraud Risk, Culture, and
Skepticism During COVID-19)
Public Act 100-914 amended the Illinois State Auditing Act (30 ILCS
5/3-2.4 new) to specifically include
Cybersecurity as part of our Compliance Examination program with
an effective date of January 1, 2019 (see inset below).
Sec. 3-2.4. Cybersecurity audit.
a) In conjunction with its annual compliance examination program,
the Auditor General shall review State agencies and their cybersecurity
programs and practices, with a particular focus on agencies holding large
volumes of personal information.
b) The review required under this Section shall, at a minimum,
assess the following:
1) the effectiveness of State agency cybersecurity practices;
2) the risks or vulnerabilities of the cybersecurity systems used
by State agencies;
3) the types of information that are most susceptible to attack;
4) ways to improve cybersecurity and eliminate vulnerabilities to
State cybersecurity systems; and
5) any other information concerning the cybersecurity of State
agencies that the Auditor General deems necessary and proper.
To address the amendment, on the audits for the period ending June
30, 2019, we did the following:
• Updated the Compliance Audit Guide to include specific questions
concerning cybersecurity practices, policies and procedures, training, roles
and responsibilities, risk assessments, and data classifications. In addition,
we provided guidance to assist audit staff and contractors in obtaining and
reviewing documentation to support responses.
• Performed detailed testing at 20 agencies considered higher risk
as part of the June 30, 2019 compliance examinations. We provided these
agencies with detailed information regarding our analysis and if appropriate we
developed material or immaterial findings.
To promote agency’s responsibility to ensure that confidential
information is protected from accidental or unauthorized disclosure, we
generally recommend they:
• Establish and document cybersecurity roles and responsibilities.
• Establish and communicate policies, procedures, and processes to
manage and monitor the regulatory, legal, environmental and operational
• Perform a comprehensive risk assessment to identify and ensure
adequate protection of confidential or personal information most susceptible to
• Classify data to establish the types of information most
susceptible to attack to ensure adequate protection.
• Ensure all employees annually complete cybersecurity training as
outlined in the Data Security on State Computers Act (20 ILCS 450).
Our 2021 Annual Report will have a section with additional
information on the results of cybersecurity testing and general recommendations
for improvement. An approach similar to 2019 will be used in the June 30, 2020
Fraud Risks and Preventing Fraud from an Auditing Perspective
new environment resulting from the COVID-19 pandemic has created an increased
risk of fraud and improper financial reporting. As such, auditors, both internal
and external, should be on a heightened alert for fraud. The COVID-19 pandemic
presents a near perfect storm for fraud risk. With the increases in
unemployment and uncertainties in the economy, employees may have felt pressure
particularly if they experienced personal financial difficulties. Couple this
with potential breakdowns in internal controls or management overrides of
internal controls, the opportunities for fraudulent activities is increased.
response to the current crisis, many agencies and organizations have changed
working protocols to enable remote working. This can lead to an increased risk
of fraud if internal controls are circumvented as a result of the change in practices.
The International Auditing and Assurance Standards Board highlight in a
COVID-19 staff alert, the need for auditors to have heightened awareness of the
possibility of fraud or error, with the importance of the exercise of professional
skepticism when performing audit procedures.
skepticism is an attitude that includes a questioning mind, being alert to
conditions that may indicate possible misstatement due to fraud or error, and a
critical assessment of audit evidence.
can occur both within an agency and outside the agency as clients may try to
take advantage of new opportunities to commit fraud. Auditors should be alert
to see if agencies have taken steps to strengthen fraud prevention such as:
Updating fraud risk assessment programs;
Examining and updating internal controls to address new risk factors; and
Underscoring prevention policies with employees and making sure they understand
who to report to if they suspect fraud.
expenditures are likely to be scrutinized in future audits. Agencies should be
aware of guidance issued by the federal Department of the Treasury. The federal
Coronavirus Aid, Relief, and Economic Security
(CARES Act) established the Coronavirus Relief Fund. The Fund was used to make
payments for specified uses to State and local governments. The CARES Act
provided that payments from the
may only be used to cover costs that:
are necessary expenditures incurred due to the public health emergency with
respect to the Coronavirus Disease 2019 (COVID–19);
were not accounted for in the budget most recently approved as of March 27,
2020 (the date of enactment of the CARES Act) for the State or government; and
were incurred during the period that begins on March 1, 2020, and ends on
December 30, 2020.
Department of the Treasury issued guidance on its interpretations of the
permissible use of funds. The requirement that expenditures be incurred “due to”
the public health emergency means that expenditures must be used for actions
taken to respond to the public health emergency. These may include expenditures
incurred to respond directly to the emergency, such as by addressing medical or
public health needs, as well as expenditures incurred to respond to
second-order effects of the emergency, such as by providing economic support to
those suffering from employment or business interruptions due to COVID-19-related
business closures. Funds may not be used to fill shortfalls in government
revenue to cover expenditures that would not otherwise qualify under the
Department of the Treasury’s guidance listed examples of eligible expenditures
under the following categories:
Public health expenses;
Expenses of actions to facilitate compliance with COVID-19 related public
health measures; and
Expenses associated with the provision of economic support in connection with
the COVID-19 public health emergency.
guidance can be found at the Department of Treasury’s website at https://home.treasury.gov/.
May 8, 2020, the Governmental Accounting Standards Board (GASB) issued
Statement No. 95 which postponed the effective dates on several statements and
implementation guides. Most effective dates were postponed by one year with two
being postponed by 18 months. Go to GASB’s website at https://www.gasb.org/home
for more information.
of the Auditor General
Park Plaza, 740 East Ash Street
A. Bilandic Building,
N. LaSalle Street, Suite S-900