REPORT DIGEST ILLINOIS CONSERVATION FOUNDATION FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2021 Release Date: December 29, 2021 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 0 -- 0 -- 0 Category 2: 1 -- 0 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 1 -- 0 -- 1 FINDINGS LAST AUDIT: 1 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers our financial audit of the Illinois Conservation Foundation (Foundation) as of and for the year ended June 30, 2021. The Foundation’s compliance examination covering the year ended June 30, 2021 will be released under a separate cover. SYNOPSIS • (21-01) The Foundation did not timely obtain or conduct timely independent internal control reviews over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Illinois Conservation Foundation (Foundation) did not timely obtain or conduct timely independent internal controls reviews over its service providers. During testing of the Foundation’s five service providers, we noted the Foundation had not: • Timely obtained and reviewed the five (100%) service providers’ System and Organization Controls (SOC) reports and tracked compliance with service levels agreed to with the service providers. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to its operations for the five (100%) service providers. • Timely obtained and reviewed SOC reports for subservice providers for two of two (100%) service providers or performed alternative procedures to determine the impact on its internal control environment. (Finding 1, pages 31-32) We recommended the Foundation: • Timely obtain SOC reports or perform independent reviews of internal controls associated with outsourced systems at least annually; • Monitor and document the operation of the Complementary User Entity Controls (CUECs) relevant to the Foundation's operations; and, • Review service level agreements with service providers to ensure applicable requirements are met. In addition, we recommended for SOC reports with one or more subservice providers, the Foundation should: • Either obtain and review a SOC report for each subservice provider or perform alternative procedures to satisfy the usage of each subservice provider would not impact the Foundation's internal control environment; and, • Document its review of the SOC reports and review all significant issues with each subservice provider to ascertain if a corrective action plan exists and when it will be implemented, any impacts to the Foundation, and any compensating controls. The Foundation agreed with the recommendation and stated the Foundation will attempt to obtain and review SOC reports as they become available in the future. AUDITOR’S OPINION The auditors stated the financial statements of the Foundation as of and for the year ended June 30, 2021, are fairly stated in all material respects. This financial audit was conducted by Roth & Company, LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb