REPORT DIGEST ILLINOIS STATE BOARD OF EDUCATION FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2023 Release Date: March 14, 2024 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 – 0 -- 1 FINDINGS LAST AUDIT: 3 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION SYNOPSIS • (23-01) The Illinois State Board of Education had not implemented adequate controls over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Illinois State Board of Education (Agency) had not implemented adequate controls over its service providers. The Agency utilized service providers for hosting services, credit card processing, and software as a service. The auditors tested seven service providers and noted: • A requirement for a SOC report was not outlined in either a contract, or an addendum to a purchase order, for six (86%) service providers. • The Complementary User Entity Controls specific to each SOC report were not adequately reviewed by the Agency for seven (100%) service providers. • The deviations noted within one SOC report were not adequately reviewed by the Agency for one (14%) service provider. • The period covered by the SOC report for one (14%) service providers was not through the end of the audit period. Additionally, no additional bridge letter was obtained. • The period covered by the SOC report for one (14%) service provider, as well as the subsequent bridge letter obtained, did not cover the entire audit period. • An appropriate SOC report was not received for one (14%) service provider, thus an adequate review of the testing performed by the service provider auditor could not be performed. (Finding 1, pages 57-58). The auditors recommended the Agency: • Obtain and review SOC reports or conduct independent internal control reviews at least annually. • Develop and implement procedures for ensuring a SOC report requirement is present in a contract or within an addendum to a purchase order. • Monitor and adequately document the operation of the CEUCs related to the Agency’s operations. • Conduct an analysis to determine the impact of noted deviations to the Agency’s operations. • Develop and implement procedures for ensuring SOC reports and/or corresponding bridge letters cover the entire audit period. The Agency agreed with the finding and stated an employee has received basic training related to obtaining and reviewing SOC reports and Bridge Letters. The Agency also responded it will seek out more advanced training for the employee responsible for SOC reviews and it will continue to assess and modify the SOC review process to ensure data security and to meet compliance requirements. We will review the Agency’s progress towards the implementation of our recommendations in our next financial audit. AUDITOR’S OPINION The auditors stated the financial statements of the Agency as of and for the year ended June 30, 2023 are fairly stated in all material respects. This financial audit was conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:lkw