REPORT DIGEST

DEPARTMENT OF CENTRAL MANAGEMENT SERVICES

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2023

Release Date:  May 7, 2024

FINDINGS THIS AUDIT: 10

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 2 -- 2
Category 2:  2 -- 6 -- 8
Category 3:  0 -- 0 -- 0
TOTAL:  2 -- 8 -- 10

FINDINGS LAST AUDIT: 16

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION

This digest covers the Department of Central
Management Services’ (Department) compliance
examination for the two years ended June 30,
2023.  The financial audit of the
Department, as of and for the year ended
June 30, 2023, was previously released on
February 15, 2024.  In total, this report
contains ten findings, one of which was
presented within the Department’s financial
audit.

SYNOPSIS

• (23-2) The Department entered into
interagency agreements that failed to adhere
to provisions of the Fiscal Control and
Internal Auditing Act.

• (23-10) The Department had not implemented
adequate internal controls related to
cybersecurity programs and practices.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

FAILURE TO ADHERE TO THE PROVISIONS OF THE
FISCAL CONTROL AND INTERNAL AUDITING ACT

The Department of Central Management
Services (Department) entered into
interagency agreements that failed to adhere
to provisions of the Fiscal Control and
Internal Auditing Act (Act).

During the engagement period, the Department
was party to interagency agreements with the
following designated State agencies to
provide internal audit services:

• Illinois Finance Authority
• Illinois Department of Agriculture
• Illinois Department of Corrections
• Illinois Department of Financial and
Professional Regulation
• Illinois Department of Human Rights
• Illinois Department of Public Health
• Illinois Department of Veterans’ Affairs

We noted the following issues with these
interagency agreements:

• The Illinois Finance Authority, the
Illinois Department of Agriculture, the
Illinois Department of Financial and
Professional Regulation, and the Illinois
Department of Human Rights did not have a
Chief Internal Auditor during the engagement
period and strictly relied on the Department
to provide internal audit services. The
interagency agreements ultimately resulted
in these four agencies not maintaining their
own full-time internal audit function.
Further, these interagency agreements
resulted in the Department’s Chief Internal
Auditor not working full time with the
Department’s own internal audit function.

• The Department did not obtain the
Governor’s approval for the Department to
provide professional internal auditing
services for the following designated State
agencies:

—  Illinois Finance Authority
—  Illinois Department of Agriculture
—  Illinois Department of Corrections
—  Illinois Department of Financial and
Professional Regulation
—  Illinois Department of Human Rights

• The Department inconsistently established
reimbursement arrangements for these
agreements and did not follow any of the
reimbursement arrangements in the
interagency agreement. (Finding 2, pages
12-16)  This finding has been reported since
2019.

We recommended the Department refrain from
entering into interagency agreements which
result in agencies and the Department not
maintaining their own full-time internal
audit function. Additionally, we recommended
any other services provided to agencies be
done only with the approval of the Governor.
Further, we recommended the Department
consistently establish and enforce
reimbursement arrangements and amend its
interagency agreements to reflect the
reimbursement arrangements followed by the
Department.

The Department accepted the finding and
recommendation and stated they have begun
the process of updating the
intergovernmental agreements with the
necessary changes related to the billing
issues.  The Department stated all
intergovernmental agreements for internal
audit services are now sent through the
Governor’s Office for approval.

Further, the Department stated that while
the Department has been providing internal
audit support for other designated state
agencies, we are committed to training staff
to become Chief Internal Auditors and, as
such, they are committed to encouraging
qualified staff to consider these positions
as they come available.  The Department also
stated they are further committed to
training and preparing staff for other
internal audit positions within the State.

WEAKNESSES IN CYBERSECURITY PROGRAMS AND
PRACTICES

The Department had not implemented adequate
internal controls related to cybersecurity
programs and practices.

During our examination of the Department’s
cybersecurity program, practices, and
control of confidential information, we
noted the Department had not:

• Ensured all staff members and contractors
completed cybersecurity training upon
employment and annually thereafter.  During
testing we noted three of 40 (8%) employees
tested did not complete security awareness
training.  Additionally, one of five (20%)
contractors had enrolled in the course but
had not completed it.

• Documented and implemented a formal backup
policy related to backup verification and
off-site storage.

• Documented a formal change management
policy noting Department specific
procedures.

• Ensured that data classification
documentation included information related
to data retention and destruction.  (Finding
10, pages 34-35) This finding has been
reported since 2019.

We recommended the Department:

• Ensure all employees and contractors
complete security awareness training
annually.

• Document a formal backup policy and change
management policy and procedures.

• Include information related to retention
and destruction to the data classification
documentation.

The Department accepted the finding and
recommendation. The Department stated it is
in the process of hiring an Information Risk
Officer to oversee technology trainings and
to develop and document a formal backup
policy along with a retention and
destruction policy. The Department stated
this position will also work with the
Department of Innovation & Technology (DoIT)
to ensure DoIT cybersecurity policies are
followed within the Department.

OTHER FINDINGS

The remaining findings are reportedly being
given attention by Department personnel.  We
will review the Department’s progress
towards the implementation of our
recommendations in our next audit/
examination.

AUDITOR’S OPINION

The auditors stated the financial statements
of the Department as of and for the year
ended June 30, 2023 are fairly stated in all
material respects.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the Department for the two
years ended June 30, 2023, as required by
the Illinois State Auditing Act.  The
accountants qualified their report on State
compliance for Finding 2023-001 and Finding
2023-002.  Except for the noncompliance
described in these findings, the accountants
stated the Agency complied, in all material
respects, with the requirements described in
the report.

This State compliance examination was
conducted by Sikich LLP.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:meg