REPORT DIGEST LEGISLATIVE INFORMATION SYSTEM COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2024 Release Date: July 8, 2025 FINDINGS THIS AUDIT: 4 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 4 -- 0 -- 4 Category 3: 0 -- 0 -- 0 TOTAL: 4 -- 0 -- 4 FINDINGS LAST AUDIT: 3 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (24-03) The Legislative Information System (System) did not have adequate controls over its change management process and had not adequately controlled developers’ access to the production environment. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS WEAKNESSES IN CHANGE CONTROL PROCESSES The Legislative Information System (System) did not have adequate control over its change management process and had not adequately controlled developers’ access to the production environment. The System had established a change management process describing the change controls from initiation to implementation of changes. However, during the review of the System’s change control policies and procedures, we noted the System had not established requirements to conduct post- implementation reviews for emergency changes. Additionally, during testing we noted the following: • 3 of 51 (6%) change requests did not follow the System’s change control procedures. • 4 of 4 (100%) developers had privileges to push the code to the production environment. (Finding 3, pages 12-13) We recommended the System: • Establish requirements for post- implementation reviews of emergency changes; • Ensure the established change control procedures are adhered to; and, • Restrict the developer access to the production environment by following the principles of least privilege and segregation of duties. The System agreed with the recommendations. OTHER FINDINGS The remaining findings pertain to weaknesses in Cybersecurity Programs and Practices, Disaster Recovery Planning, and Controls over System Security. We will review the System’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the System for the two years ended June 30, 2024, as required by the Illinois State Auditing Act. The accountants stated the System complied, in all material respects, with the requirements describe in the report. This State compliance examination was conducted by the Office of the Auditor General’s staff. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:cgc