LEGISLATIVE

AUDIT

COMMISSION

 

 

 

 

Review of

Department of Commerce and Community Affairs

Two Years Ended June 30, 2002

 

622 Stratton Office Building

Springfield, Illinois 62706

217/782-7097

 

 

REVIEW:  4189

DEPARTMENT OF COMMERCE AND COMMUNITY AFFAIRS

TWO YEARS ENDED JUNE 30, 2002

 

FINDINGS/RECOMMENDATIONS - 8

ACCEPTED - 8

 

REPEATED RECOMMENDATIONS - 0

PRIOR AUDIT FINDINGS/RECOMMENDATIONS - 4

 

This review summarizes an audit of the Illinois Department of Commerce and Community Affairs for the two years ended June 30, 2002, filed with the Legislative Audit Commission June 12, 2003.  The auditors performed a financial and compliance audit in accordance with State law and Government Auditing Standards.  The auditors stated the Department’s financial statements were fairly presented.

 

The Department of Commerce and Community Affairs (DCCA), recently renamed the Department of Commerce and Economic Opportunity (DCEO), was created in 1979 to provide a wide range of services designed to promote economic development in Illinois.  Offices are maintained in Springfield, Chicago, Quincy, East St. Louis, Collinsville, Marion, Rockford, Kankakee, Quad Cities, Mt. Sterling, and Washington, D.C.  Additionally, the Department has foreign offices in Brussels, Hong Kong, Tokyo, Mexico City, Budapest, Warsaw, Shanghai, Johannesburg, and Toronto.  DCCA is functionally organized into six bureaus:  Director’s Office; Business Development; Community Development; Energy and Recycling; Tourism; and Technology and Industrial Competitiveness. 

 

During the period under review, Pam McDonough was the Director.  The current Director is Jack Lavin, who became the Director in February 2003.  Director Lavin was not previously employed by the Department.

 

The average number of employees by division in the years indicated was as follows:

 

 

2002

2001

Director’s Office

    150

   159

Tourism

      18

     19

Technology and Industrial Competitiveness

      39

     38

Business Development

      84

     85

Community Development

      92

     86

Energy and Recycling

      74

     72

Illinois Trade Office

      22

     23

Films

         8

       8

Coal Development and Marketing

      14

     11

Illinois First

      17

     17

            TOTAL

518

518

 

Expenditures From Appropriations

 

The General Assembly appropriated a total of $2,147,392,442 from 49 different funds to the Department of Commerce and Community Affairs in FY02, an increase of $253.3 million, or 13.4%, over FY01.  Expenditures increased from $778.7 million in FY01 to $828.3 in FY02, an increase of $49.6 million, or 6.4%.  The increases in fund spending for   Capital Development and Build Illinois Bond Funds were due to increased spending for the Illinois First Program.  There were no new appropriations to the Fund for Illinois’ Future, which caused the decrease in expenditures from that fund.  Moderate winter weather resulted in decreased federal funds in the Low Income Home Energy Assistance Block Grant Fund. Appendix A summarizes the total appropriations and expenditures from all funds for the period under review. 

 

Lapse period expenditures were almost $41.5 million, or 5%.  Appendix B presents a comparison of expenditures by object.

 

 

Cash Receipts

 

Appendix C is a summary of the Department’s cash receipts for FY02 and FY01.  Total cash receipts decreased from $238,981,074 in FY01 to $222,195,860 in FY02.  The majority of the Department’s receipts are drawdowns on grants awarded by various federal agencies and are directly related to changes in those funds’ expenditure levels.   Cash receipts in FY2000 were 50% more than those in FY02. 

 

 

Property and Equipment

 

Appendix D provides a summary of property and equipment for FY02 and FY01.  The Department’s assets, represented almost solely by equipment, increased from $12,259,926 as of July 1, 2000 to $12,565,609 as of June 30, 2002.  In FY02, there was a transfer of land, valued at $55,298, into the Department.

 

 

Loans and Notes Receivable

 

At June 30, 2002 the Department had $32,499,000 in loans and notes outstanding, with $834,000 determined to be uncollectible.  Of the $32.5 million in loans and notes outstanding, $3.3 million was from the Build Illinois Capital Revolving Fund; $19.8 million was from the Public Infrastructure Construction Loan Revolving Fund; $8.5 million was from the Large Business Attraction Fund and the remaining $1 million was from other funds. 

 

 

 

Accountants’ Findings and Recommendations

 

Condensed below are the eight findings and recommendations presented in the audit report.  There were no repeated recommendations.  The following recommendations are classified on the basis of information provided by Scott Harry, Chief Financial Officer, via electronic mail received October 17, 2003.

 

 

Accepted

 

1.    Comply with professional standards and SAMS to ensure accurate financial information is submitted to the Office of the Comptroller.  Review and revise as necessary the current system in gathering the financial information that will be reported in the GAAP Reporting Packages.

 

Findings:      The Department did not correctly report financial information through the GAAP process.  The auditors noted the following errors:

  • Federal government receipts totaling approximately $75 million were reported as general grants instead of operating grants.
  • $7 million in payments made to local governments during the lapse period were recorded as accounts payable instead of intergovernmental payables.
  • $475,000 that was collected but not deposited as of June 30th was not considered or recorded as cash and revenues in the financial statements.
  • $291,000 in two petty cash funds and seven foreign imprest funds were not included in the financial statements.
  • Federal amounts provided to subrecipients totaling $184,143 and $201,029 for FY02 and FY01, respectively, were not included on the grant/contract analysis forms.

 

Response:    We agree with the recommendation and will comply with professional standards and SAMS to ensure financial information is submitted to the Office of the Comptroller in the proper format.  Accounting staff will continue to attend any State-sponsored training on GAAP reporting to learn more about GASB 34, SAMS and other professional standards for financial reporting to the Office of the Comptroller.

 

 

2.    Perform a detailed review of the contract monitoring process to ensure contractors are complying with contractual requirements, effectively performing duties, being paid for hours worked, and are meeting the needs of the Department.

 

 

 

Accepted - continued

 

Specifically, review the current practices and:

  • Ensure detailed supporting documentation is reviewed and accurately supports all contractual payments;
  • Develop procedures that ensure an independent review of contractual provisions and the appropriateness of reimbursable hours and expenses;
  • Discontinue the practice of paying contractors for non-productive hours such as holidays, vacations, or sick time;
  • Review the purpose, costs, and benefits of paying highly compensated contractors to attend training courses in addition to paying the training course registration fees and travel expenses;
  • Develop procedures regarding the monitoring of contract requirements and payments to ensure all services and goods are delivered prior to final payment; and
  • Review contractor payments and if deemed appropriate, request reimbursement for any unsubstantiated payments.

 

Findings:      The Department did not adequately monitor contractors.  The auditors identified 25 information systems contractors at the Department in FY02.  DCCA paid these contractors almost $2 million.  Review of the contracts and documentation supporting the payments identified the following:

  • Expenditures of over $102,000 for training related costs.  Specifically, the Department paid $30,910 for training course fees, predominantly attended by contractors, and an additional $5,077 in travel reimbursement for the contractors to attend the courses.  Contractors were paid their contracted hourly fee to attend the training courses for an estimate $66,264.
  • The Department has requirements to utilize sign-in sheets and the Key-Pad System.  However, auditors were unable to reconcile contractor timesheets submitted for payment with the sign-in sheets and the Key-Pad system logs.  The amount of hours billed for weekends was more than the hours documented on the sign-in/out sheets and the Key-Pad System logs.
  • The majority of timesheets were submitted for payment and paid with the required detail outlining the work completed and the time it took.
  • $23,700 was paid to contractors without supporting documentation (timesheets).
  • Timesheets documented the contractors working on a project, when in fact they were attending training.
  • Invoice vouchers indicated that contractors were paid for 71 hours of holidays, vacations and sick time totaling $4,459.  Contractors were paid $1,008 for hours they were listed as “out” on the timesheet submitted.  Contractors were paid for a total of 8.5 hours more than the hours recorded on the timesheet submitted.
  • One contractor was paid over $1.3 million for the development of a web-site.  However, the contractor went out of business and the Department did not receive adequate documentation for the web-site or the source code file to permit efficient and effective maintenance of the web-site.

 

Updated Response:          Information Technology Offices timekeeping system has been automated.  Procedures have been drafted for the review of the contracts for compliance to the terms of the contract.  Time sheets are being reviewed to determine no payments were made for holidays, vacations, or sick time. Training is being reviewed to determine whether purpose, cost, and benefits are reasonable.

           

 

3.    Form a quality assurance team to ensure all system development projects and major modifications follow the Application System Development Standards.  Appropriate documentation should be maintained to demonstrate compliance with Standards.  Develop a detailed cost estimate and conduct a cost-benefit analysis of the entire Customer Information System (CIS) project to ensure that the project will meet its needs in a cost-effective manner.

 

Findings:      The Department did not ensure compliance with the Application System Development Standards (Standards) on the Customer Information System (CIS) project.  Additionally, the Department had not determined the total estimated cost of the complete CIS project.

 

The Department’s Standards address the various phases of system development project and require documentation throughout the development process.  The auditors reviewed three modules of CIS for compliance with the Standards and noted the following:

  • Documentation was omitted or incomplete for each phase.  Testing plans were not developed.  System security plans were not developed.
  • Approval for each phase was not obtained.
  • User involvement was not adequately documented.
  • Data conversion documentation was not maintained.
  • Limited testing was conducted.
  • Post implementation reviews had not been conducted.
  • Internal Audit involvement was limited.

 

The total projected completion cost of the entire CIS project had not been researched or analyzed.  During FY02, the Department spent approximately $875,332 for 11 contractors for the development of the CIS project.

 

Updated Response:          A quality assurance team will review all new system developments and major modifications to insure compliance with standards and guidelines. The estimated completion date is March, 2004.  Prior projects will be reviewed to insure compliance with standards and guidelines. The estimated completion date is March, 2004.  A draft cost benefit analysis has been developed.  This will be an ongoing project subject to changes and updates.

 

Accepted - concluded

4.    Develop a formal security strategy and implement more stringent security parameters on computer systems.  Formally define security administration responsibilities.  Such responsibilities should include guidelines for performing security-related duties, and the formalized promotion of security awareness, including the orientation and continuing education of both employees and contractors.  Periodically perform an independent review of the security administration and awareness function to ensure security needs are being met, identify weaknesses, and encourage adherence to established policies and procedures. 

           

Ensure that information transmitted through the network and over the Internet is secured, and develop procedures to ensure log files are routinely reviewed.

 

Findings:      The Department had not established adequate controls for securing its computer resources.  The Department had established computer systems throughout the State and in the foreign offices in order to meet its mission and mandate.  The Department processes and maintains critical, confidential and sensitive information on its computer systems.  The auditors noted the following weaknesses:

 

  • Lack of security strategy to ensure that adverse situations such as security breaches and system failures were adequately addressed in a timely manner.
  • Lax security parameters such as no password requirements, no password change interval, no intrusion detection, and individuals with inappropriate administrative access.
  • Lack of encryption to ensure that packets containing sensitive and confidential information were not readable by unauthorized parties.
  • Lack of monitoring.  Intrusion Detection System, firewall, and server logs were not reviewed to ensure that settings were appropriate and effective security was maintained.

 

Updated Response:          A formal security strategy that includes security administration and more stringent security parameters on the network has been drafted.  A draft of security administration responsibilities has been prepared.  Security awareness training will be performed in November, 2003.  The Department now has a full-time Compliance Officer who is responsible for the ongoing review of the Department's security needs.  Procedures have been developed to ensure log files and parameter configurations are routinely reviewed.

 

 

5.   Develop an effective network and mainframe disaster recovery plan structure.  The plan, at a minimum, should include clearly defined procedures and time frames for different levels of failure in order to assure an appropriate response.  The plan should be periodically reviewed and tested at an acceptable recovery site to evaluate its effectiveness.  Future tests of the plan should also review the procedures used to recover information systems to ensure critical Department systems can be restored within the required timeframe, adequate training of staff and success of the plan.

 

       Perform an in-depth analysis of recovery needs in relation to their current environment, business-critical systems, and the maximum tolerable downtimes.  Work with DCMS to obtain an understanding of responsibilities regarding disaster recovery.

 

Findings:      The Department did not have a current or comprehensive disaster recovery plan and had never performed disaster recovery testing of its environment.

 

Updated Response:          A Disaster Recovery test was performed in July 2003.  The Disaster Recovery Policy has been updated, and will be tested in January, 2004.  The Department of Central Management Services was contacted in August 2003 to obtain an understanding of disaster recovery responsibilities, needs and training. The results of the July, 2003 test have been submitted to Central Management Services.

 

 

6.    Designate a formal steering committee charged with strategic planning.  The committee should meet regularly and include representatives from senior management, user management, and Information Technology Management (ITM).  The committee should prepare long-range strategic plans, not only for ITM, but for the entire Department.  The plan must include provisions for periodically reviewing and updating the plan to ensure it reflects the current environment.

 

Findings:      The Department did not have an adequate long-range strategic plan to effectively guide Information Technology activities.  Additionally, the Department did not have a formal steering committee to ensure the development of a long-range strategic plan for the Department. 

 

The Department’s focus has been on other developments rather than formalizing a long-range strategic planning process.  The lack of strategic planning has contributed to deficiencies in the Department’s business process, including a lack of cost estimates for a major conversion project, inadequate policies and procedures, insufficient disaster contingency capabilities, security weaknesses, inadequate system developments, and ineffective communication of responsibilities to staff.

 

Accepted - concluded

 

Updated Response:          A formal steering committee has been formed that includes the Director of Operations and the Director of Information Technology Management.  Other committee members will be selected from senior management and key staff.  Information Technology Management staff have met with management to survey the Department needs.  The strategic plan will be completed in November, 2003.

 

 

7.    Comply with the requirements of the Adult Education Reporting Act and submit the required report annually to the Illinois Community College Board.

 

Findings:      The Department did not submit required reports to the State Board of Education during FY01 and the Community College Board during FY02.  The Adult Education Reporting Act requires the Department to file a report on an annual basis listing

all education, training or intern programs, grants, loans or other services it administers or makes available for providing education or training to Illinois adult citizens.

 

Response:    The Department agrees with this recommendation and has prepared and submitted the required report for the current year, and has taken steps to ensure that the report will be updated annually.

 

 

8.    Comply with the Grant Funds Recovery Act and enforce the deadline for current submission requirements of the grant agreements.

 

Findings:      The Department did not receive grant close-out packages from grant recipients by the required deadline.  Twelve of 131 grant close-out packages were five to 256 days late.  The grant agreement requires the grantee to complete and submit a final grant close-out report within 45 days after the expiration or termination of the agreement.

 

Response:    The Department agrees with this recommendation and acknowledges the untimely issuance of close-out correspondence to these 12 grantees.  None of these 12 grantees were required to submit a refund to the Department.  Once these oversights were identified, grantees were immediately contacted and the close-out packages were submitted.  The Department has already taken corrective action so these isolated incidents will not reoccur.

 

 

Emergency Purchases

 

The Illinois Purchasing Act (30 ILCS 505/1) states that “the principle of competitive bidding and economical procurement practices shall be applicable to all purchases and contracts ...” The law also recognizes that there will be emergency situations when it will be impossible to conduct bidding.  It provides a general exemption for emergencies “involving public health, public safety, or where immediate expenditure is necessary for repairs to State property in order to protect against further loss of or damage ... prevent or minimize serious disruption in State services or to insure the integrity of State records.  The chief procurement officer may promulgate rules extending the circumstances by which a purchasing agency may make ‘quick purchases’, including but not limited to items available at a discount for a limited period of time.”

 

State agencies are required to file an affidavit with the Auditor General for emergency procurements that are an exception to the competitive bidding requirements per the Illinois Purchasing Act.  The affidavit is to set forth the circumstance requiring the emergency purchase. The Commission receives quarterly reports of all emergency purchases from the Office of the Auditor General.  The Legislative Audit Commission is directed to review the purchases and to comment on abuses of the exemption.

 

During FY01, the Department filed three affidavits totaling $467,089.49 for emergency purchases.   The purchases included $367,214.99 for tourism office operations; $62,984. to extend the call center contract until the contract could be bid; and $36,890.50 for storage of office equipment during asbestos abatement.  The Department had no emergency purchases in FY02.

 

 

Headquarters Designations

 

The State Finance Act requires all State agencies to make semiannual headquarters reports to the Legislative Audit Commission.  Each State agency is required to file reports of all of its officers and employees for whom official headquarters have been designated at any location other than that at which their official duties require them to spend the largest part of their working time.

 

The Department of Commerce and Community Affairs indicated as of July 15, 2002 that 53 employees had headquarters designated at a location other than that at which their duties require them to spend the largest part of their working time.

 

REVIEW TABLES DCCA#4189