Illinois’ Department of Innovation and Technology is riddled with security weaknesses and has racked up millions of dollars in costs from over-budget projects and late payments, according to the Illinois Auditor General.
The auditor’s office released a 106-page report on July 9 that unearthed 30 incidents of regulatory noncompliance by DoIT in 2017 and 2018 — problems the auditor’s office calls “significant and pervasive.” In that time, DoIT did not report more than $100 million in assets and property, the report says, and went $150 million over budget on its enterprise resource planning system, a centralized IT platform it’s developing. The project is now projected to cost $400 million.
DoIT and its ERP were the foundation of former Gov. Bruce Rauner’s efforts to modernize IT in Illinois. He signed an executive order to create DoIT in 2016, which consolidated the state’s IT functions into a single agency. The state’s chief information officer at the time, Hardik Bhatt, embraced the project, noting that that the state was still using systems built in the 1970s and that an IT consolidation project was long overdue.
But from the beginning, the report says, the agency stumbled.
DoIT did not meet the terms of Rauner’s order, the report found, noting a “failure to timely and fully consolidate IT functions, employees, assets, and funds.” More than a third of state agencies had not transferred their personnel to DoIT as of June 2018, according to the report. Even more had not transferred their IT assets to the agency.
The report’s findings were not news to the Illinois Office of the Comptroller, which oversees the state’s finances. Abdon Pallasch, the office’s communications director, told StateScoop that the comptroller’s office has raised alarms about DoIT since 2017. DoIT, Pallasch said, had been refusing to give explanations for the bills it was submitting for the ERP project, which he said was unusual.
“It’s not normal. You want $400 million in taxpayer money? You have to justify it. What is it being spent on, what are the deliverables? What is the progress you’ve made? What are the benchmarks?” Pallasch said. DoIT, he said, “refused to answer those questions.”
After Susana Mendoza took over as Illinois’ comptroller in December 2016, Pallasch said that DoIT shut her office out of its planning for the ERP project. Per Pallasch, DoIT said it was “giving [the comptroller’s office] back the gift of our time,” though he declined to speculate further on DoIT’s motives.
Mendoza refused to approve DoIT’s voucher payments until the agency submitted explanations for the bills, which it did not do. By June 2018, according to the report, those held payments amounted to $125 million — and had accrued $20.6 million in late-payment interest. By this time, Illinois’ top cybersecurity official, Kirk Lonbom, had been promoted to the CIO role after Bhatt stepped down for a position at Amazon. Lonbom would retire in December.
That same year, DoIT did not report the costs for a $44.8 million fiber optic network, did not record $19 million worth of equipment from transferring agencies, and was unable to provide the purchase prices or dates for 2,305 pieces of equipment, the report says.
Such oversights have raised security concerns. DoIT could not determine whether 14 of the 17 missing computers that the auditor’s office identified had stored confidential information. It also could not provide an accurate count of its service providers or its servers to the auditor’s office — many of which, the report found, do not comply with IT security standards.
Whether or not these security deficiencies have led to breaches or other problems is unclear. “We did not note any specific data losses or specific security threats in our audit testing for that period,” the Illinois’ auditor’s office wrote in an email to StateScoop.
DoIT said in the report that it did not dispute the findings of the audit, and had implemented measures to bring the department in compliance with standards. The agency did not return StateScoop’s request for comment.
For Pallasch and the Office of the Comptroller, answers from DoIT arrived in April following a change in the agency’s leadership. Illinois Gov. J. B. Pritzker, who assumed office in January, named former Toyota executive Ron Guerrier as the head of DoIT and state CIO in March. DoIT began to provide documentation for its old vouchers, allowing the comptroller to start approving the agency’s bills.
“We’re on a much better path. The problems are largely being solved,” Pallasch said.
The auditor’s office said it will keep an eye on DoIT over the next two years, following up with another report that it will release after June 2020.