REPORT DIGEST

DEPARTMENT OF THE LOTTERY

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2023

Release Date:  May 9, 2024

FINDINGS THIS AUDIT: 8

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  2 -- 5 -- 7
Category 3:  0 -- 1 -- 1
TOTAL:  2 -- 6 -- 8

FINDINGS LAST AUDIT: 14

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers Department’s State
Compliance Examination for the two years
ended June 30, 2023. A digest covering the
Financial Audit of the Department’s State
Lottery Fund as of and for the year ended
June 30, 2023, was previously released on
February 6, 2024. In total this report
contains eight findings, none of which were
reported in the Financial Audit.

SYNOPSIS

• (23-01) The Department did not maintain
adequate internal control of its personal
services function.
• (23-07) The Department had not implemented
adequate internal controls related to
cybersecurity programs, practices, and
control of confidential information.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE CONTROLS OVER PERSONAL SERVICES

The Department of the Lottery (Department)
did not maintain adequate internal control
over its personal services function.

During our testing, we noted the Department
did not include fringe benefits for the
personal use of a State vehicle within its
Lottery Sales Representatives’ taxable
income during the engagement period. These
employees extensively use State vehicles
when commuting to retailers as part of their
full-time job.

During our testing of 16 employees, with a
total 32 performance evaluations during the
examination period, we noted the Department
did not conduct 9 of 32 (28%) performance
evaluations in a timely manner, as they were
completed between 2 and 280 days after the
final day in the employee’s evaluation
period.

During our testing of the Department’s
bilingual, African American, Hispanic,
Asian-American, and Native American
employment plans (State Employment Plans),
we noted the Department was unable to
provide documentation of survey support for
the 2022 State Employment Plan report, as
well as the date the surveys were submitted.
(Finding 1, pages 10-12)  This finding has
been reported since 2019.

We recommended the Department implement
controls to ensure:
• fringe benefits related to its employees’
commuting in State vehicles are either added
to each affected employee’s taxable income
or each employee provides a reimbursement to
the State for the commuting use of the
State’s vehicle in strict adherence with IRS
regulations;
• all required performance evaluations are
conducted timely; and
• submission support of State Employment
Plan Surveys are retained.

The Department accepted the finding, citing
its intent to implement the recommendations.

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Department had not implemented adequate
internal controls related to cybersecurity
programs, practices, and control of
confidential information.

As part of its mission, the Department
utilizes several environments, applications,
and databases which contain volumes of
confidential and personal information of
citizens.

The Illinois State Auditing Act (30 ILCS
5/3-2.4) requires the Auditor General to
review State agencies and their
cybersecurity programs and practices. During
our examination of the Department’s
cybersecurity program, practices, and
control of confidential information, we
noted the Department had not:

• addressed the verification of backups or
off-site storage within the Department’s
backup or IT policy;

• developed a project management framework
to ensure new applications were adequately
developed and implemented in accordance with
management’s expectations;

• ensured that data classification
documentation included information related
to data retention and destruction;

• developed a Risk Management Methodology;

• developed security events monitoring or
response policies and procedures; and,

• ensured vulnerability scanning tools
monitored the Department’s environment and
applications to identify security
vulnerabilities.  (Finding 7, pages 22-24)
This finding has been reported since 2019.

We recommended the Department:
• document the verification of backups and
off-site storage policy;
• develop a project management framework to
ensure new applications are adequately
developed and implemented in accordance with
management’s expectations;
• include information related to data
retention and destruction in the data
classification documentation;
• develop a comprehensive Risk Management
Methodology;
• develop a security incident policy which
includes procedures for employees and
contractors to notify Department management
and document response procedures to
identified security events; and,
• ensure vulnerability scanning tools
monitor the Department’s applications and
networks to identify security
vulnerabilities.

The Department accepted the finding and
documented its plans to address each
component of the recommendation.

OTHER FINDINGS

The remaining findings pertain to inadequate
controls over vouchers, State vehicles, and
reporting requirements; failure to
incorporate required contractual provision
in the Private Manager Agreement; disaster
recovery planning weaknesses; and
insufficient number of Lottery Control Board
members. We will review the Department’s
progress towards the implementation of our
recommendations in our next State compliance
examination.

AUDITOR’S OPINION

The auditors stated the financial statements
of the State Lottery Fund as of and for the
year ended June 30, 2023, are fairly stated
in all material respects.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the Department for the two
years ended June 30, 2023, as required by
the Illinois State Auditing Act. The
accountants stated the Agency complied, in
all material respects, with the requirements
describe in the report.

This State compliance examination was
conducted by Sikich LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:QK