REPORT DIGEST

LEGISLATIVE INFORMATION SYSTEM

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2024

Release Date:  July 8, 2025

FINDINGS THIS AUDIT: 4

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  4 -- 0 -- 4
Category 3:  0 -- 0 -- 0
TOTAL:  4 -- 0 -- 4

FINDINGS LAST AUDIT: 3

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (24-03)  The Legislative Information
System (System) did not have adequate
controls over its change management process
and had not adequately controlled
developers’ access to the production
environment.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

WEAKNESSES IN CHANGE CONTROL PROCESSES

The Legislative Information System (System)
did not have adequate control over its
change management process and had not
adequately controlled developers’ access to
the production environment.

The System had established a change
management process describing the change
controls from initiation to implementation
of changes. However, during the review of
the System’s change control policies and
procedures, we noted the System had not
established requirements to conduct post-
implementation reviews for emergency
changes.

Additionally, during testing we noted the
following:

• 3 of 51 (6%) change requests did not
follow the System’s change control
procedures.

• 4 of 4 (100%) developers had privileges to
push the code to the production environment.
(Finding 3, pages 12-13)

We recommended the System:

• Establish requirements for post-
implementation reviews of emergency changes;

• Ensure the established change control
procedures are adhered to; and,

• Restrict the developer access to the
production environment by following the
principles of least privilege and
segregation of duties.

The System agreed with the recommendations.

OTHER FINDINGS

The remaining findings pertain to weaknesses
in Cybersecurity Programs and Practices,
Disaster Recovery Planning, and Controls
over System Security. We will review the
System’s progress towards the implementation
of our recommendations in our next State
compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the System for the two years
ended June 30, 2024, as required by the
Illinois State Auditing Act. The accountants
stated the System complied, in all material
respects, with the requirements describe in
the report.

This State compliance examination was
conducted by the Office of the Auditor
General’s staff.

COURTNEY DZIERWA
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:cgc