
REPORT DIGEST

HUMAN RIGHTS COMMISSION

COMPLIANCE EXAMINATION
FOR THE YEAR ENDED JUNE 30, 2021

Release Date:  March 2, 2023

FINDINGS THIS AUDIT:  4

CATEGORY:  NEW -- REPEAT -- TOTAL
Category 1:  0 -- 0 -- 0
Category 2:  2 -- 1 -- 3
Category 3:  0 -- 1 -- 1
TOTAL:  2 -- 2 -- 4

FINDINGS LAST AUDIT: 4

Category 1: Findings that are material
weaknesses in internal control and/or
a qualification on compliance with
State laws and regulations (material
noncompliance).
Category 2: Findings that are
significant deficiencies in internal
control and noncompliance with State
laws and regulations.
Category 3: Findings that have no
internal control issues but are in
noncompliance with State laws and
regulations.

State of Illinois, Office of the
Auditor General
FRANK J. MAUTINO, AUDITOR GENERAL

To obtain a copy of the Report
contact:
Office of the Auditor General, Iles
Park Plaza, 740 E. Ash Street,
Springfield, IL 62703
(217) 782-6046 or TTY (888) 261-2887

This Report Digest and Full Report are
also available on the worldwide web at
www.auditor.illinois.gov

SYNOPSIS

• (21-1) The Human Rights Commission
(Commission) had not implemented
adequate internal controls related to
cybersecurity programs, priorities and
control of confidential information.

FINDINGS, CONCLUSIONS, AND
RECOMMENDATIONS

WEAKNESSES IN CYBERSECURITY PROGRAMS
AND PRACTICES

The Human Rights Commission
(Commission) had not implemented
adequate internal controls related to
cybersecurity programs, practices and
control of confidential information.

The Commission had computer systems
that contained confidential or
personal information.

During the examination of the
Commission’s cybersecurity program,
practices and control of confidential
information, we noted the Commission
had not:

• Developed a formal, comprehensive,
adequate, and communicated security
program (including policies,
procedures, and processes as well as
clearly defined responsibilities over
the security of computer programs and
data) to manage and monitor the
regulatory, legal, environmental and
operational requirements.

• Developed a project management
framework to ensure new applications
were adequately developed and
implemented in accordance with
management's expectations.

• Developed a risk management
methodology, conducted a comprehensive
risk assessment, or implemented risk
reducing internal controls.

• Developed policies and procedures
governing the maintenance and
destruction of their data.

• Developed a data classification
methodology or classified its data to
identify and ensure adequate
protection of information.

• Required contractors to acknowledge
receipt of obtaining and understanding
the Commission's Policy Manual.

• Require its employees and
contractors to complete cybersecurity
training. (Finding 1, pages 12-14)

We recommended the Commission work
with the Department of Innovation and
Technology to obtain an understanding
of each party’s responsibilities as it
related to cybersecurity controls.
Additionally, we recommended the
Commission:

• Develop a formal, comprehensive,
adequate, and communicated security
program (including policies,
procedures, and processes as well as
clearly defined responsibilities over
the security of computer programs and
data) to manage and monitor the
regulatory, legal, environmental and
operational requirements.

• Develop a project management
framework to ensure new applications
are adequately developed and
implemented in accordance with
management's expectations.

• Develop a risk management
methodology, conduct a comprehensive
risk assessment, and implement risk
reducing internal controls.

• Develop policies and procedures
governing the maintenance and
destruction of their data.

• Develop a data classification
methodology and classify its data to
identify and ensure adequate
protection of information.

• Require contractors to acknowledge
receipt of obtaining and understanding
the Commission's Policy Manual.

• Require employees and contractors to
complete cybersecurity training.

The Commission agreed with the
finding.

OTHER FINDINGS

The remaining findings pertain to
vacancies on the Illinois Torture
Inquiry and Relief Commission (ITIRC),
ITIRC decisions not being deposited
with the Illinois State Library, and
inadequate controls over travel
expenditures.  We will review the
Commission’s and ITIRC’s progress
towards the implementation of our
recommendations in our next compliance
examination.

ACCOUNTANT’S OPINION

The accountants conducted a compliance
examination of the Commission for the
two years ended June 30, 2021, as
required by the Illinois State
Auditing Act.  The accountants stated
the Commission complied, in all
material respects, with the
requirements described in the report.

This compliance examination was
conducted by the Office of the Auditor
General’s staff.

JANE CLARK
Division Director

This report is transmitted in
accordance with Section 3-14 of the
Illinois State Auditing Act.

FRANK J. MAUTINO
Auditor General

FJM:jv