REPORT DIGEST OFFICE OF THE STATE APPELLATE DEFENDER COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2020 Release Date: July 21, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 0 -- 0 -- 0 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 0 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (20-01) The Office of the State Appellate Defender did not obtain or conduct an independent internal control review over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Office of the State Appellate Defender (Office) did not obtain or conduct an independent internal control review over its service providers. The Office utilized four service providers for expenditure processing, purchase order requests, time and attendance reporting, and payroll adjustment processing. The data controlled by these service providers is critical to the Office’s operations and contains confidential information. During our testing, we noted the following: • The Office did not obtain a System and Organization Control (SOC) report or conduct an independent internal control review for three of four (75%) service providers utilized. • The Office did not maintain documentation of their review of the SOC report provided for one of four (25%) service providers utilized. (Finding 1, pages 9-10) We recommended the Office obtain a SOC report or perform independent reviews of internal controls of service providers at least annually. In addition, upon receipt of a SOC report, the Office should: • Monitor and document the operation of the Complementary User Entity Controls (CUECs) relevant to operations. • Either obtain and review SOC reports for subservice organizations or perform alternative procedures to satisfy itself the usage of the subservice organizations would not impact the internal control environment. • Document its review of the SOC reports and review all significant issues to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the Office, and any compensating controls. The Office agreed with the finding and accepted the recommendation. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Office for the two years ended June 30, 2020, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2020-001. Except for the noncompliance described in this finding, the accountants stated the Office complied, in all material respects, with the requirements described in the report. This compliance examination was conducted by the Office of the Auditor General’s staff. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:JAC