REPORT DIGEST ILLINOIS CONSERVATION FOUNDATION FINANCIAL AUDIT FOR THE YEAR ENDED JUNE 30, 2024 Release Date: February 20, 2025 FINDINGS THIS AUDIT: 1 CATEGORY: NEW -- REPEAT – TOTAL Category 1: 0 -- 0 -- 0 Category 2: 0 -- 1 -- 1 Category 3: 0 -- 0 -- 0 TOTAL: 0 -- 1 -- 1 FINDINGS LAST AUDIT: 1 State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, 400 West Monroe, Suite 306, Springfield, IL 62704-9849 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov INTRODUCTION This digest covers the financial audit of the Illinois Conservation Foundation (Foundation) as of and for the year ended June 30, 2024. SYNOPSIS • (24-01) The Foundation did not have adequate controls over review of internal controls over its service providers. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS LACK OF ADEQUATE CONTROLS OVER THE REVIEW OF INTERNAL CONTROLS OVER SERVICE PROVIDERS The Illinois Conservation Foundation (Foundation) did not have adequate controls over the review of internal controls over its service providers. During testing of the six service providers, we noted the Foundation had not: • Obtained the System and Organization Controls (SOC) reports or performed independent reviews of internal controls associated with outsourced systems for two (33%) service providers. • Adequately documented the review of SOC reports for four (67%) service providers. • Obtained and reviewed SOC reports for subservice providers or performed alternative procedures to determine the impact on its internal control environment. Two service providers’ (33%) SOC reports identified subservice providers. • Monitored and documented the operation of the Complementary User Entity Controls (CUECs) relevant to its operations for three (50%) service providers. • Ensured a requirement for an independent review of internal controls was included within the contract between the Foundation and the one (17%) service provider. • Conducted an analysis to determine the impact of noted deviations within the SOC reports for two (33%) service providers. • Obtained a bridge letter for one (17%) service provider when the SOC report did not encompass the entire audit period. (Finding 1, pages 30-31) This finding was first reported in fiscal year 2021 We recommended the Foundation: • Obtain and review SOC reports or perform independent reviews of internal controls associated with outsourced system at least annually. • Adequately document the review of SOC reports. • Either obtain and review SOC reports for subservice providers or perform alternative procedures to satisfy the use of the subservice providers would not impact the Foundation’s internal control environment. • Monitor and document the operation of CUECs relevant to the Foundation’s operations. • Review contracts with service providers to ensure applicable requirements over the independent review of internal controls are included. • Conduct an analysis to determine the impact of noted deviations within the SOC reports. • Obtain bridge letters when SOC reports do not cover the entire audit period. The Foundation agreed with the recommendation. AUDITOR’S OPINION The auditors stated the financial statements of the Foundation as of and for the year ended June 30, 2024, are fairly stated in all material respects. This financial audit was conducted by Roth & Company, LLP. COURTNEY DZIERWA Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:vrb