REPORT DIGEST STATE BOARD OF ELECTIONS COMPLIANCE EXAMINATION FOR THE TWO YEARS ENDED JUNE 30, 2019 Release Date: January 28, 2020 FINDINGS THIS AUDIT: 8 CATEGORY: NEW -- REPEAT -- TOTAL Category 1: 1 -- 0 -- 1 Category 2: 5 -- 2 -- 7 Category 3: 0 -- 0 -- 0 TOTAL: 6 -- 2 -- 8 FINDINGS LAST AUDIT: 4 Category 1: Findings that are material weaknesses in internal control and/or a qualification on compliance with State laws and regulations (material noncompliance). Category 2: Findings that are significant deficiencies in internal control and noncompliance with State laws and regulations. Category 3: Findings that have no internal control issues but are in noncompliance with State laws and regulations. State of Illinois, Office of the Auditor General FRANK J. MAUTINO, AUDITOR GENERAL To obtain a copy of the Report contact: Office of the Auditor General, Iles Park Plaza, 740 E. Ash Street, Springfield, IL 62703 (217) 782-6046 or TTY (888) 261-2887 This Report Digest and Full Report are also available on the worldwide web at www.auditor.illinois.gov SYNOPSIS • (19-01) The Board did not implement adequate internal controls related to cybersecurity programs and practices. • (19-02) The Board did not comply with certain requirements of the Election Code (10 ILCS 5). • (19-03) The Board could not demonstrate compliance with all restrictions of the Raffles and Poker Runs Act (230 ILCS 15) when granting raffle licenses. FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS WEAKNESSES IN CYBERSECURITY PROGRAMS AND PRACTICES The State Board of Elections (Board) had not implemented adequate internal controls related to cybersecurity programs and practices. The Illinois State Auditing Act (30 ILCS 5/3-2.4) requires the Auditor General to review State agencies and their cybersecurity programs and practices. During our examination of the Board’s cybersecurity program, practices, and control of confidential information, we noted the Board: • Had not classified its data to identify and ensure adequate protection of information (i.e. confidential or personal information) most susceptible to attack. • Had not evaluated and implemented appropriate controls to reduce the risk of attack. • Had not ensured all staff members completed cybersecurity training upon employment and annually thereafter. • Had not developed a formal, comprehensive, adequate, and communicated security program (policies, procedures, and processes) to manage and monitor the regulatory, legal, environmental and operational requirements. Although the Board’s Policy Manual included minimum requirements for acceptable usage of information technology, the Policy Manual did not address access provisioning requirements, security awareness and training, and data maintenance and destruction. (Finding 1, pages 9-10) We recommended the Board perform an assessment to identify and classify data to ensure adequate protection of confidential or personal information most susceptible to attack, evaluate identified risks and implement appropriate controls to reduce the risk, ensure all staff members annually complete cybersecurity training as outlined in the Data Security on State Computers Act, and establish and communicate the Board’s security program (formal and comprehensive policies, procedures and processes) to manage and monitor the regulatory, legal, environmental and operational requirements. Board officials partially agreed with the finding. The Board stated it will analyze and classify its data and create and implement a comprehensive security program. However, the Board stated it believes it has evaluated and implemented several technical security controls that have significantly increased the Board’s security posture and reduced the threat attack surface. Regarding cybersecurity training, the Board believes it is in compliance with statutory requirements requiring annual cybersecurity training by staff. NONCOMPLIANCE WITH ELECTION CODE The Board did not comply with certain requirements of the Election Code (10 ILCS 5) (Code) during the examination period. As of the end of fieldwork, we noted the Board had not established monitoring mechanisms to determine whether business entities were updating their registrations as needed and, therefore, is not assessing the requisite civil penalty. Section 9-35(e) of the Code states the Board shall impose a civil penalty of $1,000 per business day for failure to update a registration by a business entity as required by Section 20-160 of the Illinois Procurement Code (30 ILCS 500). Further, we noted 1 of 9 (11%) Board actions tested were entered on the Board’s online database 617 days beyond the 5 business days after action was taken or the penalty was imposed on the complaint. In addition, 3 of the 9 (33%) had no documentation supporting the date the Board’s online database was updated after action/penalty was imposed. Section 9-23.5 of the Code requires the Board to update its online database of all complaints filed with the Board within five business days after action is taken or a penalty imposed on a complaint. (Finding 2, pages 11-12) We recommended the Board comply with the requirements of the Election Code. If the requirements of the Code require monitoring or enforcement resources beyond the present capabilities of the Board, we recommended the Board seek assistance from outside parties to perform these duties as presently prescribed in the Election Code. Otherwise, we suggested the Board seek legislative remedies from the requirements. In addition, we recommended the Board update the capabilities of its online database to ensure its actions and penalties are entered into its online database within five business days after action is taken or a penalty is imposed on a complaint. Board officials partially agreed with the finding as it related to Section 9-35(e). The Board agreed it is not enforcing this section, but disagreed that it has the ability to do so. The Board will continue to pursue a legislative remedy to this requirement. Further, Board officials disagreed with the finding as it related to Section 9-23.5. Following the prior engagement period, the Board implemented new procedures and protocols to ensure the database was updated in a timely fashion. However, it did not apply these changes retroactively, so one of the complaints tested occurred prior to the changes and was not updated. In addition, the Board maintains that the database is being updated timely and in accordance with Section 9-23.5. However, the current system lacks the means to provide documentation verifying existing records are subsequently updated. The time stamp for records in the database only reflect the date the original entry was made, not the updates. The Board will determine if a change to the system is feasible or practical to address future requests from auditors. NONCOMPLIANCE WITH RAFFLES AND POKER RUNS ACT The Board could not demonstrate compliance with all restrictions of the Raffles and Poker Runs Act (Act) when granting raffle licenses. The Act (230 ILCS 15/8.1(c)) restricts the raffle licenses issued by the Board and states the following are ineligible entities for licenses: i. Any political committee which has an officer who has been convicted of a felony; ii. Any political committee which has an officer who is or has been a professional gambler or gambling promoter; iii. Any political committee which has an officer who is not of good moral character; iv. Any political committee which has an officer who is also an officer of a firm or corporation in which a person defined in (i), (ii), (iii) has a proprietary, equitable, or credit interest, or in which such a person is active or employed; v. Any political committee in which a person defined in (i), (ii) or (iii) is an officer, director, or employee, whether compensated or not; vi. Any political committee in which a person defined in (i), (ii) or (iii) is to participate in the management or operation of a raffle as defined in this Section. We tested 40 raffle applications received from political action committees and acted upon by the Board during the examination period. We were not able to determine whether or not the Board issued raffle licenses during the examination period to entities ineligible for licenses based upon the criteria prescribed in the Act because the Board had not established a monitoring mechanism to vet this information, therefore, no information was available to review. (Finding 3, pages 13-14) We recommended the Board establish, implement, and document procedures for tracking and monitoring raffle licenses to ensure compliance under the Raffles and Poker Runs Act. If those specific requirements of the Act require monitoring or enforcement resources beyond the present capabilities of the Board, we recommended the Board seek assistance from outside parties to perform these duties as presently prescribed in the Act. Otherwise, we recommended the Board seek legislative remedies from the requirement. Board officials partially agreed with the finding, in that they are not enforcing the listed provisions, but disagrees as they do not believe it is possible to effectively enforce the section of the Act. Board officials stated they will continue to pursue a legislative remedy to this requirement. OTHER FINDINGS The remaining findings pertain to weaknesses in controls over State property, failure to enter into agreement with other state agencies for the transmission of registration member data, a lack of formal change management process, inadequate disaster recovery planning, and a lack of system development documentation. We will review the Board’s progress towards the implementation of our recommendations in our next compliance examination. ACCOUNTANT’S OPINION The accountants conducted a compliance examination of the Board for the two years ended June 30, 2019, as required by the Illinois State Auditing Act. The accountants qualified their report on State compliance for Finding 2019-001. Except for the noncompliance described in this finding, the accountants stated the Board complied, in all material respects, with the requirements described in the report. The compliance examination was conducted by Sikich LLP. JANE CLARK Division Director This report is transmitted in accordance with Section 3-14 of the Illinois State Auditing Act. FRANK J. MAUTINO Auditor General FJM:jv