REPORT DIGEST ILLINOIS CONSERVATION FOUNDATION FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2023 Release Date: February 6, 2024 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 0 – 1 -- 1 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the financial audit of the Illinois Conservation Foundation (Foundation) as of and for the year ended June 30, 2023. The Foundation’s compliance examination covering the two-years ended June 30, 2023 will be released under a separate cover. SYNOPSIS • (23-01) The Foundation lacked adequate controls over review of internal controls over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Illinois Conservation Foundation (Foundation) did not have adequate controls over the review of internal controls over its service providers. During testing of the Foundation’s four service providers, we noted the Foundation had not: • Obtained and reviewed the System and Organization Control (SOC) report for one (25%) service provider. • Timely obtained and reviewed SOC reports for subservice providers or performed alternative procedures to determine the impact on its internal control environment. Two service providers’ (50%) SOC reports have identified subservice providers. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to its operations for three (75%) service providers. • Ensured a requirement for an independent review was included within the contract between the Foundation and four (100%) service providers. • Conducted an analysis to determine the impact of noted deviations within the SOC reports for two (50%) service providers. • Obtained bridge letters for three (75%) service providers when SOC reports did not encompass the entire audit period. (Finding 1, pages 31-32) We recommended the Foundation: • Obtain and review SOC reports or perform independent reviews of internal controls associated with outsourced system at least annually. • Either obtain and review SOC reports for subservice providers or perform alternative procedures to satisfy the use of the subservice providers would not impact the Foundation’s internal control environment. • Monitor and document the operation of CUECs relevant to the Foundation’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. • Conduct an analysis to determine impact of noted deviations within the SOC reports. • Obtain bridge letters when SOC reports do not cover the entire audit period. The Foundation agreed with the recommendation. AUDITOR’S OPINION The auditors stated the financial statements of the Foundation as of and for the year ended June 30, 2023, are fairly stated in all material respects. This financial audit was conducted by Roth & Company, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb