REPORT DIGEST

ILLINOIS GENERAL ASSEMBLY – HOUSE OF
REPRESENTATIVES

COMPLIANCE EXAMINATION
FOR THE TWO YEARS ENDED JUNE 30, 2023

Release Date:  October 3, 2024

FINDINGS THIS AUDIT: 4

CATEGORY:  NEW -- REPEAT – TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  2 -- 2 -- 4
Category 3:  0 -- 0 -- 0
TOTAL:  2 -- 2 -- 4

FINDINGS LAST AUDIT: 3

State of Illinois, Office of the Auditor
General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report contact:
Office of the Auditor General, 400 West
Monroe, Suite 306, Springfield, IL
62704-9849
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are also
available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (23-4) The House of Representatives had
not implemented adequate internal controls
over its service providers.

FINDINGS, CONCLUSIONS, AND RECOMMENDATIONS

INADEQUATE CONTROLS OVER THE REVIEW OF
INTERNAL CONTROLS FOR SERVICE PROVIDERS

The House had not implemented adequate
internal controls over its service
providers.

The Office of the Clerk of the House
(Office) and the House Democratic Leadership
did not provide their populations of service
providers utilized to determine if they had
reviewed internal controls over their
service providers. The Office and the House
Democratic Leadership utilized two service
providers each but did not obtain System and
Organization Control (SOC) reports from its
service providers or conduct independent
internal control reviews of the service
providers.

House Republican Leadership did not provide
6 of 11 (55%) of their service providers’
SOC reports for our testing.   Of the 5 SOC
reports which were provided for our review,
we noted the following:

• For 1 of 5 SOC reports tested (20%), House
Republican staff noted there were no
subservice organizations noted in the
report, whereas our review of the SOC
reports identified subservice organizations
and related control weaknesses cited in the
report.

• For 5 of 5 SOC reports tested (100%) where
Complementary Subservice Organization
Controls (CSOCs) were identified, the
documentation did not include the agency’s
assessment of the controls associated with
the use of subservice organizations or
documentation that they performed
alternative procedures to determine the
impact on its internal control environment.

• For 4 SOC reports tested where
Complementary User Entity Controls (CUECs)
were identified (100%), the documentation
did not include the Agency's detailed
analysis of the CUECs and controls in place
to address those CUECs identified in the SOC
reports. (Finding 4, pages 20-22)

We recommended the House implement internal
controls over service providers to include
the following:

• Develop a process to identify and document
all service providers utilized on an annual
basis;
• Obtain SOC reports or perform independent
reviews of internal controls associated with
service providers at least annually;
• Analyze the SOC reports obtained to
determine and document the impact of the
report’s opinion and noted deviations;
• Obtain and review subservice provider SOC
reports; and
• Document its review of the SOC reports and
review all significant issues with
subservice organizations to ascertain if a
corrective action plan exists and when it
will be implemented, any impacts to the
House, and any compensating controls.

The Office of the Clerk of the House stated
they concur and will implement regular
reviews of service provider SOC reports. The
House – Democratic Leadership concurs with
this finding and will conduct internal
control reviews of the EDP service providers
in the future. House Republican Leadership
stated they accept that HGOP will review and
document SOC reports from subservice
providers that meet the review criteria as
stated and will also review and document
complementary user entity controls. The HGOP
will investigate proper procedures and
permissions within non-disclosure agreements
as to whether SOC reports may be made
visually available to outside auditors.

OTHER FINDINGS

The remaining findings pertain to personnel
and information technology. We will review
the Agency’s progress towards the
implementation of our recommendations in our
next State compliance examination.

ACCOUNTANT’S OPINION

The accountants conducted a State compliance
examination of the Agency for the two years
ended June 30, 2023, as required by the
Illinois State Auditing Act.  The
accountants stated the Agency complied, in
all material respects, with the requirements
describe in the report.

This State compliance examination was
conducted by Adelfia LLC.

JANE CLARK
Division Director

This report is transmitted in accordance
with Section 3-14 of the Illinois State
Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:lkw