Volume 28, 2022 Annual Edition
AUDIT ADVISORY
Emerging and Potential Audit Issues
Frank J. Mautino, Auditor General
Auditor General’s Message
The purpose of the Illinois Audit Advisory is to share information that may aid state agency operations’ efficiency, effectiveness, and compliance with state laws.
As agency managers and public officials, we have the responsibility to efficiently and effectively use agency resources. To ensure proper use of such resources, a sound system of management controls is of primary importance. Agency management has always been, and continues to be, responsible for ensuring that an adequate system of internal controls has been established within the agency and that the system is properly functioning. However, the Office of the Auditor General is committed to aiding agencies to the extent allowed by auditing standards and independence requirements.
Timeliness of reporting responses and proper internal controls can help to ensure efficiencies in a new technological age. To that end, we have included cyber security audits in compliance audits since 2019. Today’s Audit Advisory will look at and review cyber security findings and opportunities for improvements. We will also review timelines and important dates for agency managers to keep in mind.
I hope you find this issue of the Illinois Audit Advisory helpful.
|
Holland Inducted Into NASACT Hall of Fame
Former Illinois Auditor General William G. Holland was recently inducted into the National Association of State Auditors, Comptrollers and Treasurers (NASACT) Hall of Fame. Holland was the State’s longest serving Auditor General holding the position for more than 23 years from August 1, 1992 to December 31, 2015.
Holland began his government career in 1974 as a legislative intern. In 1980, he was appointed the first director of the Illinois General Assembly’s Washington Office. From 1983 to 1992, Holland served as chief of staff for the Illinois Senate President.
During his tenure as Auditor General, Holland’s audits won several national awards and the Office was known for its objectivity and high ethical standards. While Holland was always quick to credit his staff, his leadership made the Office one of the most respected agencies in the State of Illinois.
Holland served as president of both the National State Auditors Association (NSAA) and NASACT. He has also been recognized by his peers for numerous awards including two NASACT President’s Awards and the NSAA William R. Snodgrass Distinguished Leadership Award.
Cybersecurity Reviews
Public Act 100-914 amended the Illinois State Auditing Act (30 ILCS 5/3-2.4 new) to specifically include Cybersecurity as part of our Compliance Examination program with an effective date of January 1, 2019.
As outlined in the past several Audit Advisories, we incorporated a review of Cybersecurity into the standard compliance examination program and also performed detailed testing at selected agencies in the June 30, 2021 examinations.
We used the following general criteria in our examinations to determine if agencies had:
1. Established and documented cybersecurity roles and responsibilities.
2. Established and communicated policies, procedures, and processes to manage and monitor the regulatory, legal, environmental, and operational requirements.
3. Performed a comprehensive risk assessment to identify and ensure adequate protection of confidential or personal information most susceptible to attack.
4. Classified data to establish the types of information most susceptible to attack to ensure adequate protection.
5. Ensured all employees annually complete cybersecurity training as outlined in the Data Security on State Computers Act.
6. Evaluated and implemented appropriate controls to reduce the risk of attack.
We identified significant weaknesses at 35 agencies (from reports released through August 18, 2022) and the table below summarizes our findings.
|
|
Deficiencies in Categories as Listed Above |
|||||
Agency |
Finding |
1 |
2 |
3 |
4 |
5 |
6 |
Abraham Lincoln Presidential Library and Museum |
2021-012 |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Chicago State University |
2021-009 |
✔ |
|
|
✔ |
|
|
Commission on Government Forecasting & Accountability |
2021-002 |
✔ |
✔ |
✔ |
✔ |
|
|
Criminal Justice Information Authority |
2021-013 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Department of Agriculture |
2021-004 |
✔ |
✔ |
✔ |
|
✔ |
|
Department of Central Management Services |
2021-011 |
|
|
✔ |
|
✔ |
|
Department of Healthcare and Family Services |
2021-019 |
|
✔ |
✔ |
✔ |
✔ |
|
Department of Human Rights |
2021-002 |
|
✔ |
✔ |
✔ |
|
✔ |
Department of Labor |
2021-008 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Department of Lottery |
2021-011 |
|
✔ |
✔ |
✔ |
|
✔ |
Department of Public Health |
2021-029 |
|
|
✔ |
|
✔ |
|
Eastern Illinois University |
2021-008 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Governors State University |
2021-010 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Illinois Arts Council |
2021-005 |
✔ |
|
✔ |
✔ |
|
|
Illinois Emergency Management Agency |
2021-008 |
✔ |
✔ |
✔ |
✔ |
|
✔ |
Illinois Finance Authority |
2021-002 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Illinois Housing Development Authority |
2021-015 |
|
|
✔ |
✔ |
✔ |
|
Illinois Mathematics and Science Academy |
2021-001 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Illinois State University |
2021-003 |
|
✔ |
|
|
✔ |
|
Illinois Workers’ Compensation Commission |
2021-012 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Legislative Reference Bureau |
2021-003 |
✔ |
|
✔ |
✔ |
✔ |
|
Liquor Control Commission |
2021-009 |
✔ |
✔ |
✔ |
✔ |
✔ |
|
Northeastern Illinois University |
2021-012 |
|
✔ |
✔ |
|
✔ |
✔ |
Office of Executive Inspector General |
2021-001 |
✔ |
✔ |
✔ |
✔ |
|
✔ |
Office of Governor |
2021-009 |
✔ |
✔ |
✔ |
✔ |
|
✔ |
Office of Lieutenant Governor |
2021-002 |
✔ |
✔ |
✔ |
✔ |
|
✔ |
Office of Secretary of State |
2021-014 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Southern Illinois University |
2021-012 |
|
✔ |
✔ |
|
|
|
State Board of Elections |
2021-001 |
|
✔ |
✔ |
✔ |
|
✔ |
State Universities Retirement System |
2021-001 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Supreme Court |
2021-001 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
Supreme Court Historic Preservation Commission |
2021-002 |
✔ |
✔ |
✔ |
✔ |
|
✔ |
Teachers’ Retirement System |
2021-002 |
|
✔ |
✔ |
✔ |
|
|
University of Illinois |
2021-021 |
|
|
|
|
✔ |
✔ |
Western Illinois University |
2021-009 |
|
✔ |
✔ |
✔ |
✔ |
✔ |
To promote agencies’ responsibility to ensure that confidential information is protected from accidental or unauthorized disclosure, we generally recommended they ensure that the six areas identified above are adequately addressed. On small agencies, our primary focus is on the completion of a comprehensive risk assessment to help determine if all of the six areas need to be implemented.
We will continue to emphasize the review of cybersecurity programs and practices in future compliance examinations.
Important Reporting Dates
Our audit findings reveal that many agencies routinely miss recurring reporting deadlines. While some of these reports are ministerial in nature, failure to comply not only subjects an agency to an audit finding but also suggests a lack of management controls over legal requirements. Additionally, as more agencies struggle to get by with less staff, anticipating and making plans in advance to meet upcoming deadlines becomes more critical.
State agencies are required to fulfill some requirements on an annual basis but the date for completion is not set in statute. Agencies should establish tickler files to ensure these requirements are met each year:
Annual Requirement |
Source of Requirement |
DoIT cybersecurity training |
Data Security on State Computers Act (20 ILCS 450/25) |
Ethics training |
State Officials and Employees Ethics Act (5 ILCS 430/5-10 (a)) |
Evaluation of each employee |
Illinois Administrative Code (80 Ill. Adm. Code 302.270 (d)) |
Harassment and discrimination prevention training |
State Officials and Employees Ethics Act (5 ILCS 430/5-10.5 (a-5)) |
Physical inventory of State equipment to CMS |
Illinois Administrative Code (44 Ill. Adm. Code 5010.460) |
Other deadlines are not fixed dates but instead are triggered by an event or occurrence. A sampling of those requirements that our audit experience shows are often missed by agencies follows:
Timeframe |
Triggering Event |
Action |
Source of Requirement |
Prior to authorizing travel |
Use of private vehicle on State business |
Obtain statement from State employee certifying he/she is duly licensed and has statutory minimum insurance coverage |
Illinois Vehicle Code (625 ILCS 5/10- 101(b)) and Illinois Administrative Code (80 Ill. Adm. Code 3000.300 (f) (1)) |
Day of receipt |
Any single item of receipt exceeding $10,000 |
Deposit into the State treasury |
State Officers and Employees Money Disposition Act (30 ILCS 230/2) |
Within 24 hours |
An accumulation of receipts totaling $10,000 or more |
Deposit into the State treasury |
State Officers and Employees Money Disposition Act (30 ILCS 230/2) |
Within 48 hours |
An accumulation of receipts exceeding $500 but less than $10,000 |
Deposit into the State treasury |
State Officers and Employees Money Disposition Act (30 ILCS 230/2) |
Within 3 days |
Accident in State vehicle |
File report (Form SR-1) with law enforcement and CMS |
Illinois Administrative Code (44 Ill. Adm. Code 5040.520) |
No later than 5 calendar days |
Award of contract through emergency purchase |
Post notice in the online electronic Procurement Bulletin |
Illinois Procurement Code (30 ILCS 500/15-25 (c)) |
Within 5 business days |
Receipt of request for public records |
Grant or deny unless timeframe is extended |
Freedom of Information Act (5 ILCS 140/3 (d) and 3.1) |
Within 10 days |
Award of contract through emergency purchase |
File statements with Procurement Policy Board, Commission on Equity and Inclusion, and Auditor General |
Illinois Procurement Code (30 ILCS 500/20-30 (c)) |
Within 15 days |
Execution of a real property lease |
File a copy with the Secretary of State |
State Finance Act (30 ILCS 105/9) |
Within 30 days |
Grant or contract liability greater than $20,000 incurred |
File copy with State Comptroller |
Illinois Procurement Code (30 ILCS 500/20-80 (b)) |
Within 30 days |
Receipt of vendor bill |
Review and approve or deny |
State Prompt Payment Act (30 ILCS 540) and Illinois Administrative Code (74 Ill. Adm. Code 900.70) |
Within 30 days |
New employee hired |
Take ethics training |
State Officials and Employees Ethics Act (5 ILCS 430/5-10 (c)) |
Within 30 days |
New employee hired |
Take harassment and discrimination prevention training |
State Officials and Employees Ethics Act (5 ILCS 430/5-10.5 (a-5)) |
Within 45 days |
End of grant period |
Receive unused grant funds back from grantee |
Grant Funds Recovery Act (30 ILCS 705/) |
Within 60 days |
Travel expense incurred by State employee |
Submit request for reimbursement |
Internal Revenue Service Publication 535 and Accounting Bulletins numbers 134, 135 and 137 |
Within 60 days of month end |
Fiscal activity |
Perform monthly reconciliation of various reports to the SAMS system |
SAMS Procedure 07.30.20 |
Within 90 days |
Acquisition, change, or deletion of equipment |
Adjust property records |
Illinois Administrative Code (44 Ill. Adm. Code 5010.400) |
From a sampling of recent audits, below are a list of due dates for reports that most State agencies are required to submit:
Due Date |
Report |
Report Recipient |
Source of Requirement |
Jan. 1 |
Agency Workforce |
Secretary of State & Governor |
State Employment Records Act (5 ILCS 410/20) |
Jan. 7 |
Annual Report |
Governor |
State Finance Act (30 ILCS 105/3) |
Jan. 15 |
Travel Headquarters (TA-2) |
Legislative Audit Commission |
State Finance Act (30 ILCS 105/12-3) |
May 1 |
Evaluation of internal fiscal and administrative controls (FCIAA Certification) |
Auditor General |
Fiscal Control and Internal Auditing Act (30 ILCS 10/3003) |
May 1 |
Statements of Economic Interests |
Secretary of State |
Governmental Ethics Act (5 ILCS 420/4A-105) |
July 1 –July 31 |
Proof of driver's license and liability insurance for employees assigned a State vehicle |
Agency Director |
Illinois Vehicle Code (625 ILCS 5/7-601(c)) |
July 15 |
Travel Headquarters (TA-2) |
Legislative Audit Commission |
State Finance Act (30 ILCS 105/12-3) |
July 15 |
Identification of State agency employee responsible for distribution of agency publications |
Illinois State Library Government Documents Section |
Illinois Administrative Code (23 Ill. Adm. Code 3020.150) |
July 31 |
Annual Real Property Utilization |
Central Management Services |
State Property Control Act (30 ILCS 605/7.1(b)) |
Aug. 1 |
Agency Fee Imposition |
State Comptroller |
State Comptroller Act (15 ILCS 405/16.2) and SAMS Procedure 33.16.20 |
Aug. 10 – Aug. 31 |
General deadline for GAAP reporting packages |
State Comptroller |
SAMS Procedure 27.10.10 |
Oct. 15 |
GAAP basis financial statements (including footnote disclosures) |
State Comptroller |
SAMS Procedure 27.10.10 |
Dec. 15 |
Public Accountability Report |
State Comptroller |
SAMS Procedure 33.20.20 |
###
Contact Information:
Office of the Auditor General
Iles Park Plaza, 740 East Ash Street
Springfield, Illinois 62703-3154
Michael A. Bilandic Building,
160 N. LaSalle Street, Suite S-900
Chicago, Illinois 60601-3109
Phone: 217-782-6046
Fax: 217-785-8222
TTY: 1-888-261-2887
Fraud Hotline: 1-855-217-1895
E-mail: audgen@illinois.auditor.gov
Website: www.auditor.illinois.gov