REPORT DIGEST OFFICE OF EXECUTIVE INSPECTOR GENERAL FOR AGENCIES OF THE ILLINOIS GOVERNOR COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2023 Release Date: April 4, 2024 FINDINGS THIS AUDIT: 5 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 2 -- 3 -- 5 Category 3: 0 -- 0 -- 0 TOTAL: 2 – 3 -- 5 FINDINGS LAST AUDIT: 4 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION The Office of Executive Inspector General for the Agencies of the Illinois Governor (Office) was established as an independent State agency charged with investigating allegations of fraud, waste, abuse, mismanagement, misconduct, nonfeasance, misfeasance, malfeasance, and violations of the State Officials and Employees Ethics Act. SYNOPSIS • (23-01) The Office did not timely file its Fiscal Control and Internal Auditing Act certifications. • (23-04) The Office had not implemented adequate internal controls over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NONCOMPLIANCE WITH THE FISCAL CONTROL AND INTERNAL AUDITING ACT The Office did not comply with the Fiscal Control and Internal Auditing Act (FCIAA). The certifications of compliance with the FCIAA for Fiscal Year 2022 and Fiscal Year 2023 were not filed timely. The certifications were filed 200 and 8 calendar days late, respectively. (Finding 1, pages 9-10) We recommended the Office perform timely evaluations of its systems of internal fiscal and administrative controls and timely file annual certifications regarding the evaluation with the Auditor General as required by the FCIAA. The Office agreed the FCIAA certifications were not timely filed during the audit period due to significant staff turnover. INADEQUATE CONTROLS OVER SERVICE PROVIDERS The Office had not implemented adequate internal controls over its service providers. In order to carry out its mission, the Office utilized service providers for hosting services and software as a service. We performed testing over the service providers identified. During our testing, we noted the Office had not obtained System and Organization Control (SOC) reports or conducted independent internal control reviews of one of the three (33%) service providers identified by the Office. The Office was able to provide the assessment of the SOC reports for two of three external service providers identified. However, the following were noted in relation to the review done by the Office: • The review did not provide details on specific areas assessed in the SOC report and the impact to the Office’s internal control environment. • The FY22 review of the Department of Innovation and Technology SOC reports was done based on the report issued under Government Auditing Standards and did not include the review of the full SOC reports. Further, the review did not specify the Office’s assessment of the impact to their internal control environment and specific actions to be taken or compensating controls in place, by the Office. • The Office’s review of the SOC reports do not identify the controls in place to address Complementary User Entity Controls (CUECs) related to the Office’s operations as listed in the SOC reports. • The Office did not obtain and review SOC reports for subservice organizations or perform alternative procedures or evaluation to satisfy itself that the existence of the subservice organization would not impact its internal control environment. (Finding 4, pages 16-17) We recommended the Office strengthen its controls in identifying and documenting all service providers utilized. Further, we recommended the Office obtain SOC reports or conduct independent internal control reviews at least annually. In addition, we recommended the Office: • Monitor and document the operation of the Complementary User Entity Controls (CUECs) related to the Office’s operations. • Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself that the existence of the subservice organization would not impact its internal control environment. • Document its review of the SOC reports and review all significant issues with subservice organizations to ascertain if a corrective action plan exists and when it will be implemented, any impact to the Office, and any compensating controls. The Office agreed it did not review a SOC report from one service provider due to the service provider not providing it. The Office disagreed with the remainder of the finding regarding the Office’s review and documentation of review of SOC reports. However, Office officials stated that going forward the Office will implement practices for a more detailed SOC review. OTHER FINDINGS The remaining findings pertains to cybersecurity weaknesses, disaster recovery planning weaknesses, and late submission of census data reconciliation certification. We will review the Office’s progress towards the implementation of our recommendations in our next State compliance examination. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Office for the two years ended June 30, 2023, as required by the Illinois State Auditing Act. The accountants stated the Office complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Adelfia LLC. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:EMO