REPORT DIGEST REGIONAL OFFICE OF EDUCATION #45: MONROE AND RANDOLPH COUNTIES FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2020 Release Date: March 31, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 0 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-1) The Regional Office of Education #45 lacked adequate controls over the review of internal controls over external service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER EXTERNAL SERVICE PROVIDERS The Regional Office of Education #45 (ROE) did not establish proper controls when it switched to an accounting software which utilizes a service provider to provide hosting and backup services for the ROE. The ROE is responsible for the design, implementation, and maintenance of internal controls, including the controls that are outsourced to service providers, related to information systems and operations to ensure resources and data are adequately protected from unauthorized or accidental disclosure, modifications, or destruction. Generally accepted information technology guidance endorses the review and assessment of internal controls related to information systems and operations to assure the accurate processing and security of information. During testing, the auditors noted the ROE had not: • Developed a formal process for identifying service providers and either obtaining the Service Organization Controls (SOC) report from the service provider and related subservice organization or performing alternative procedures to determine the impact of such services on its internal control environment prior to signing an agreement with the service provider. • Documented its review of the SOC report, or performed alternative procedures, to evaluate any issues relevant to the ROE’s internal controls. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to the ROE’s operations. Regional Office officials indicated that although the ROE has continually addressed technical security through informal evaluation of services with expert employees, the office has failed to formally address service organization controls through obtaining SOC reports and CUECs. The root cause of this failure by the ROE stems from the organization’s inability to maintain currency with recommendations and regulations from third party organizations and associations that influence the practices and requirements applicable to the ROE. The ROE is confident that it is able to maintain currency with direct state and federal regulations and administrative rules promulgated through respective state agencies but has been unable to adequately address the myriad of recommendations from non-regulatory entities that established new processes for governmental compliance. (Finding 20-001, pages 10a – 10c) The auditors recommended the ROE identify all third-party service providers and determine and document if a review of controls is required. If required, the ROE should: • Obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems, including services provided by subservice organizations, prior to signing agreements with the providers and annually thereafter. • Document its review of the SOC report, or perform alternative procedures, to evaluate all significant issues to ascertain if a corrective action plan exists, when it will be implemented, any impacts to the ROE, and any compensating controls. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. ROE Response: The Regional Office of Education shall adhere to the Auditors’ Recommendations and shall: • Obtain SOC reports or perform independent review of internal controls associated with outsourced systems, including services provided by subservice organizations, prior to signing agreements with the providers and annually thereafter within the first quarter of the fiscal year. • Document its review of the SOC report, or perform alternative procedures, to evaluate all significant issues to ascertain if a corrective action plan exists, when it will be implemented, any impacts to the ROE, and any compensating controls. • Monitor and document the operation of the CUECs relevant to the ROE’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. Additionally, the ROE shall work with the Illinois Association of Regional Superintendents of Schools (IARSS), the Office of the Illinois Auditor General, and the Illinois Legislative Audit Commission to assure adroit adherence with rules, recommendations and requirements promulgated and applicable to the office’s financial controls and practices. AUDITORS’ OPINION Our auditors state the Regional Office of Education #45’s financial statements as of June 30, 2020 are fairly presented in all material respects. This financial audit was conducted by the firm of West & Company, LLC. JOE BUTCHER Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JRB