
REPORT DIGEST

OFFICE OF COMPTROLLER - FISCAL OFFICER
RESPONSIBILITIES

COMPLIANCE EXAMINATON
FOR THE YEAR ENDED JUNE 30, 2022

Release Date:  March 23, 2023

FINDINGS THIS AUDIT:  6

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  1 -- 1 -- 2
Category 2:  4 -- 0 -- 4
Category 3:  0 -- 0 -- 0
TOTAL:  5 -- 1 -- 6

FINDINGS LAST AUDIT: 1

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

INTRODUCTION
This digest covers the Office of
Comptroller’s (Office) Fiscal Officer
Responsibilities Compliance
Examination for the year ended June
30, 2022.  The Office’s Fiscal Officer
Responsibilities Financial Audit as of
and for the year ended June 30, 2022
was previously released on December
21, 2022. In total, this report
contains six findings, two of which
were also reported in the Financial
Audit.

SYNOPSIS

• (22-06) The Office had not
implemented adequate controls over its
service providers.


FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

INADEQUATE CONTROLS OVER SERVICE
PROVIDERS

The Office of Comptroller (Office) had
not implemented adequate controls over
its service providers.

We requested the Office provide the
population of service providers
utilized during the examination period
to determine if the Office had
reviewed the internal controls of its
service providers.  In response to our
request, the Office provided a
listing; however, the Office did not
provide documentation demonstrating
the listing was complete and accurate.

Due to these conditions, we were
unable to conclude the Office’s
population records were sufficiently
precise and detailed under the
Professional Standards promulgated by
the American Institute of Certified
Public Accountants (AT-C § 205.36).

Even given the population limitations
noted above, we performed testing over
three of six service providers
identified by the Office.  The Office
utilized service providers for hosting
services and software as a service.
Our testing noted the Office had not:

• Obtained System and Organization
Control (SOC) reports or conducted
independent internal control reviews
for the three service providers.
• Conducted an analysis to determine
the impact of noted deviations within
the SOC report.
• Monitored and documented the
operation of the Complementary User
Entity Controls (CUECs) related to the
Office’s operations.
• Obtained and reviewed SOC reports
for subservice providers or perform
alternative procedures to determine
the impact on its internal control
environment.
• Developed or implemented procedures
for monitoring service providers.

We also noted the service providers’
contracts did not contain requirements
for independent reviews to be
conducted. (Finding 6, pages 21-22)

We recommended the Office strengthen
its controls in identifying and
documenting all service providers
utilized.  Further, we recommend the
Office:

• Obtain SOC reports or conduct
independent internal control reviews.
• Conduct an analysis to determine the
impact of noted deviations within the
SOC report.
• Monitor and document the operation
of the CUECs related to the Office’s
operations.
• Obtain and review SOC reports for
subservice providers or perform
alternative procedures to determine
the impact on its internal control
environment.
• Develop and implement procedures for
monitoring service providers.
• Ensure the service providers’
contract contain requirements for
independent reviews to be conducted.

The Office agreed with the
recommendations and stated the Office
was developing a process and
formalizing procedures to identify,
obtain, and document review of service
organizations.

OTHER FINDINGS

The remaining findings pertain to the
Office’s late payment of statutorily
mandated transfers, failure to
implement adequate Information
Technology controls, inadequate
controls over remote access,
inadequate disaster recovery planning,
and weaknesses in cybersecurity
programs and practices.  We will
review the Office’s progress towards
the implementation of our
recommendations in our next compliance
examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Office of
Comptroller, Fiscal Officer
Responsibilities for the year ended
June 30, 2022, as required by the
Illinois State Auditing Act.  The
accountants qualified their report on
State compliance for Findings 2022-001
and 2022-002.  Except for the
noncompliance described in these
findings, the accountants stated the
Office of Comptroller, Fiscal Officer
Responsibilities, complied in all
material respects with the
requirements described in the report.

This compliance examination was
conducted by Sikich LLP.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:vrb