REPORT DIGEST ILLINOIS CONSERVATION FOUNDATION COMPLIANCE EXAMINATION FOR THE YEAR ENDED JUNE 30, 2021 Release Date: December 29, 2021 FINDINGS THIS AUDIT: 2 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 2 -- 0 -- 2 Category 3: 0 -- 0 -- 0 TOTAL: 2 -- 0 -- 2 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the Illinois Conservation Foundation’s (Foundation) compliance examination for the year ended June 30, 2021. A separate digest covering the Foundations’ financial audit as of and for the year ending June 30, 2021 will be released under a separate cover. In total, this report contains two findings, one of which was reported in the Financial Audit. SYNOPSIS • (21-02) The Foundation did not ensure compliance with the Payment Card Industry Data Security Standards. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS NONCOMPLIANCE WITH PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS The Illinois Conservation Foundation (Foundation) did not ensure compliance with the Payment Card Industry Data Security Standards (PCI DSS). During testing, we noted the Foundation had not: • Formally assessed each program accepting credit card payments, the methods in which payments could be made, matched these methods to the appropriate Self-Assessment Questionnaire (SAQ), and contacted service providers to obtain relevant information and guidance as deemed appropriate. • Completed a SAQ addressing all elements of its environment utilized to store, process, and transmit cardholder data. (Finding 2, pages 11-12) We recommended the Foundation assess each program accepting credit card payments, the methods in which payments can be made, match these methods to the appropriate SAQ, work with the service providers to obtain relevant information, and compete those SAQs at least annually. The Foundation agreed with recommendation and stated the SAQ was not completed due to staffing constraints and competing priorities. AUDITOR’S OPINION The financial audit report was released under a separate cover. The auditors stated the financial statements of the Foundation as of and for the year ended June 30, 2021, are fairly stated in all material respects. ACCOUNTANT’S OPINION The accountants conducted a State compliance examination of the Foundation for the year ended June 30, 2021, as required by the Illinois State Auditing Act. The accountants stated the Foundation complied, in all material respects, with the requirements described in the report. This State compliance examination was conducted by Roth & Company, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb